-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathtest.py
More file actions
82 lines (58 loc) · 2.93 KB
/
test.py
File metadata and controls
82 lines (58 loc) · 2.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
import tarfile
import zipfile
import tty # this import is only here so logic for detecting stdlib works
from fastapi import FastAPI
app = FastAPI()
@app.post("/bomb")
async def bomb(file_path):
zipfile.ZipFile(file_path, "r").extract("file1") # $ result=BAD
zipfile.ZipFile(file_path, "r").extractall() # $ result=BAD
with zipfile.ZipFile(file_path) as myzip:
with myzip.open('ZZ') as myfile: # $ result=BAD
a = myfile.readline()
with zipfile.ZipFile(file_path) as myzip:
with myzip.open('ZZ', mode="w") as myfile: # $ SPURIOUS: result=BAD
myfile.write(b"tmpppp")
zipfile.ZipFile(file_path).read("aFileNameInTheZipFile") # $ result=BAD
tarfile.open(file_path).extractfile("file1.txt") # $ result=BAD
tarfile.TarFile.open(file_path).extract("somefile") # $ result=BAD
tarfile.TarFile.xzopen(file_path).extract("somefile") # $ result=BAD
tarfile.TarFile.gzopen(file_path).extractall() # $ result=BAD
tarfile.TarFile.open(file_path).extractfile("file1.txt") # $ result=BAD
tarfile.open(file_path, mode="w") # ok, writing
tarfile.TarFile.gzopen(file_path, mode="w") # ok, writing
tarfile.TarFile.open(file_path, mode="r:") # potential problem, depending on usage
import shutil
shutil.unpack_archive(file_path) # $ result=BAD
import lzma
lzma.open(file_path) # $ result=BAD
lzma.LZMAFile(file_path).read() # $ result=BAD
import bz2
bz2.open(file_path) # $ result=BAD
bz2.BZ2File(file_path).read() # $ result=BAD
import gzip
gzip.open(file_path) # $ result=BAD
gzip.GzipFile(file_path) # $ result=BAD
from compression import zstd
zstd.open(file_path) # $ result=BAD
zstd.ZstdFile(file_path).read() # $ result=BAD
import pandas
pandas.read_csv(filepath_or_buffer=file_path) # $ result=BAD
pandas.read_table(file_path, compression='gzip') # $ result=BAD
pandas.read_xml(file_path, compression='gzip') # $ result=BAD
pandas.read_csv(filepath_or_buffer=file_path, compression='gzip') # $ result=BAD
pandas.read_json(file_path, compression='gzip') # $ result=BAD
pandas.read_sas(file_path, compression='gzip') # $ result=BAD
pandas.read_stata(filepath_or_buffer=file_path, compression='gzip') # $ result=BAD
pandas.read_table(file_path, compression='gzip') # $ result=BAD
pandas.read_xml(path_or_buffer=file_path, compression='gzip') # $ result=BAD
# no compression no DOS
pandas.read_table(file_path, compression='tar')
pandas.read_xml(file_path, compression='tar')
pandas.read_csv(filepath_or_buffer=file_path, compression='tar')
pandas.read_json(file_path, compression='tar')
pandas.read_sas(file_path, compression='tar')
pandas.read_stata(filepath_or_buffer=file_path, compression='tar')
pandas.read_table(file_path, compression='tar')
pandas.read_xml(path_or_buffer=file_path, compression='tar')
return {"message": "bomb"}