Title: Codemod: request-data-write Semgrep · Issue #680 · pixee/codemodder-python · GitHub
Open Graph Title: Codemod: request-data-write Semgrep · Issue #680 · pixee/codemodder-python
X Title: Codemod: request-data-write Semgrep · Issue #680 · pixee/codemodder-python
Description: Running semgrep on pygoat ❯❱ python.django.security.injection.request-data-write.request-data-write Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into s...
Open Graph Description: Running semgrep on pygoat ❯❱ python.django.security.injection.request-data-write.request-data-write Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malici...
X Description: Running semgrep on pygoat ❯❱ python.django.security.injection.request-data-write.request-data-write Found user-controlled request data passed into '.write(...)'. This could be dangerous if ...
Opengraph URL: https://github.com/pixee/codemodder-python/issues/680
X: @github
Domain: patch-diff.githubusercontent.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Codemod: request-data-write Semgrep","articleBody":"Running semgrep on pygoat\r\n\r\n```\r\n ❯❱ python.django.security.injection.request-data-write.request-data-write\r\n Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious\r\n actor is able to control data into sensitive files. For example, a malicious actor could force \r\n rolling of critical log files, or cause a denial-of-service by using up available disk space. \r\n Instead, ensure that request data is properly escaped or sanitized. \r\n Details: https://sg.run/0Q6j \r\n \r\n 59┆ log_code = request.POST.get('log_code')\r\n 60┆ api_code = request.POST.get('api_code')\r\n 61┆ dirname = os.path.dirname(__file__)\r\n 62┆ log_filename = os.path.join(dirname, \"playground/A9/main.py\")\r\n 63┆ api_filename = os.path.join(dirname, \"playground/A9/api.py\")\r\n 64┆ f = open(log_filename,\"w\")\r\n 65┆ f.write(log_code)\r\n ⋮┆----------------------------------------\r\n 60┆ api_code = request.POST.get('api_code')\r\n 61┆ dirname = os.path.dirname(__file__)\r\n 62┆ log_filename = os.path.join(dirname, \"playground/A9/main.py\")\r\n 63┆ api_filename = os.path.join(dirname, \"playground/A9/api.py\")\r\n 64┆ f = open(log_filename,\"w\")\r\n 65┆ f.write(log_code)\r\n 66┆ f.close()\r\n 67┆ f = open(api_filename,\"w\")\r\n 68┆ f.write(api_code)\r\n```\r\n\r\nWe don't have an existing transformer that aligns with this. Could we just wrap arguments to open and write with escape or some other sanitization func?","author":{"url":"https://github.com/clavedeluna","@type":"Person","name":"clavedeluna"},"datePublished":"2024-07-01T11:17:43.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/680/codemodder-python/issues/680"}| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:1e727468-594e-a2c6-779a-465de9f2945a |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 8624:373734:C4E87F:114162B:6970BC2A |
| html-safe-nonce | 638ed97df69a58a1286f4f7e1c2881f351259675b6e2742d7919e1630544fcb1 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4NjI0OjM3MzczNDpDNEU4N0Y6MTE0MTYyQjo2OTcwQkMyQSIsInZpc2l0b3JfaWQiOiIyNTc5OTUyNjI5ODgxODE0MDU4IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 1490a2d96c7433cf95d00e9af53397ecff5e03bc999cdd9b564144bc9cb6e1ab |
| hovercard-subject-tag | issue:2383564980 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/pixee/codemodder-python/680/issue_layout |
| twitter:image | https://opengraph.githubassets.com/abb83aaf8a5d32ceff9ff604dd45f51c1e005c60b1197d722efb47443a91cd8b/pixee/codemodder-python/issues/680 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/abb83aaf8a5d32ceff9ff604dd45f51c1e005c60b1197d722efb47443a91cd8b/pixee/codemodder-python/issues/680 |
| og:image:alt | Running semgrep on pygoat ❯❱ python.django.security.injection.request-data-write.request-data-write Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malici... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | clavedeluna |
| hostname | github.com |
| expected-hostname | github.com |
| None | 8e0be80373b724b033cdf8a7b1f78bf5fb6a5d7a2182a9a403aa30894606e390 |
| turbo-cache-control | no-preview |
| go-import | github.com/pixee/codemodder-python git https://github.com/pixee/codemodder-python.git |
| octolytics-dimension-user_id | 101823672 |
| octolytics-dimension-user_login | pixee |
| octolytics-dimension-repository_id | 682639394 |
| octolytics-dimension-repository_nwo | pixee/codemodder-python |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 682639394 |
| octolytics-dimension-repository_network_root_nwo | pixee/codemodder-python |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 84d9d5bf3b01412ea10f7c2429cbfc735ccce9ce |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width