Code Security Report: 6 high severity findings, 10 total findings

[mend-for-github-com]

Code Security Report

Latest Scan: 2022-12-23 01:59pm
Total Findings: 10
Tested Project Files: 99
Detected Programming Languages: 1

• Check this box to manually trigger a scan

Language: Python

Severity	CWE	Vulnerability Type	Count
High	CWE-78	Command Injection	4
High	CWE-79	Cross-Site Scripting	2
Low	CWE-916	Weak Hash Strength	4

Details

The below list presents the 6 high vulnerability findings that need your attention. To view information on these findings, navigate to the Mend SAST Application.

Command Injection (CWE-78) : 4

Findings

trigger/cmdi.py:6

VulnpyPython/src/vulnpy/trigger/cmdi.py

Lines 1 to 6 in ebb466a

	import os
	import subprocess
	def do_os_system(command):
	return os.system(command)

Trace

VulnpyPython/apps/quart_app.py

Line 19 in ebb466a

files = await request.files

VulnpyPython/apps/quart_app.py

Line 20 in ebb466a

stream = files.get("file")

VulnpyPython/apps/quart_app.py

Line 21 in ebb466a

user_input = stream.read()

VulnpyPython/src/vulnpy/trigger/cmdi.py

Line 5 in ebb466a

def do_os_system(command):

VulnpyPython/src/vulnpy/trigger/cmdi.py

Line 6 in ebb466a

return os.system(command)

apps/falcon_app.py:29

VulnpyPython/apps/falcon_app.py

Lines 24 to 29 in ebb466a

	user_input = req._params["upload"].file.read()
	digest = hexlify(md5(user_input).digest()).decode("utf8")
	cmd = "echo " + str(user_input[:10])
	os.system(cmd)

Trace

VulnpyPython/apps/falcon_app.py

Line 24 in ebb466a

user_input = req._params["upload"].file.read()

VulnpyPython/apps/falcon_app.py

Line 28 in ebb466a

cmd = "echo " + str(user_input[:10])

VulnpyPython/apps/falcon_app.py

Line 29 in ebb466a

os.system(cmd)

trigger/cmdi.py:6

VulnpyPython/src/vulnpy/trigger/cmdi.py

Lines 1 to 6 in ebb466a

	import os
	import subprocess
	def do_os_system(command):
	return os.system(command)

Trace

VulnpyPython/apps/fastapi_app.py

Line 32 in ebb466a

content = await file.read()

VulnpyPython/src/vulnpy/trigger/cmdi.py

Line 5 in ebb466a

def do_os_system(command):

VulnpyPython/src/vulnpy/trigger/cmdi.py

Line 6 in ebb466a

return os.system(command)

trigger/cmdi.py:6

VulnpyPython/src/vulnpy/trigger/cmdi.py

Lines 1 to 6 in ebb466a

	import os
	import subprocess
	def do_os_system(command):
	return os.system(command)

Trace

VulnpyPython/apps/quart_app.py

Line 21 in ebb466a

user_input = stream.read()

VulnpyPython/src/vulnpy/trigger/cmdi.py

Line 5 in ebb466a

def do_os_system(command):

VulnpyPython/src/vulnpy/trigger/cmdi.py

Line 6 in ebb466a

return os.system(command)

Cross-Site Scripting (CWE-79) : 2

Findings

django/vulnerable_asgi.py:55

VulnpyPython/src/vulnpy/django/vulnerable_asgi.py

Lines 50 to 55 in ebb466a

	template = get_template("{}.html".format(name))
	if name == "xss" and trigger == "raw":
	template += "<p>XSS: " + user_input + "</p>"
	return HttpResponse(template)

Trace

VulnpyPython/src/vulnpy/django/vulnerable_asgi.py

Line 23 in ebb466a

header_user_input = request.META.get("HTTP_QUERY_STRING")

VulnpyPython/src/vulnpy/django/vulnerable_asgi.py

Line 44 in ebb466a

user_input = await _get_user_input(request)

VulnpyPython/src/vulnpy/django/vulnerable_asgi.py

Line 53 in ebb466a

template += "<p>XSS: " + user_input + "</p>"

VulnpyPython/src/vulnpy/django/vulnerable_asgi.py

Line 55 in ebb466a

return HttpResponse(template)

django/vulnerable.py:38

VulnpyPython/src/vulnpy/django/vulnerable.py

Lines 33 to 38 in ebb466a

	template = get_template("{}.html".format(name))
	if name == "xss" and trigger == "raw":
	template += "<p>XSS: " + user_input + "</p>"
	return HttpResponse(template)

Trace

VulnpyPython/src/vulnpy/django/vulnerable.py

Line 14 in ebb466a

return request.GET.get("user_input", "")

VulnpyPython/src/vulnpy/django/vulnerable.py

Line 27 in ebb466a

user_input = _get_user_input(request)

VulnpyPython/src/vulnpy/django/vulnerable.py

Line 36 in ebb466a

template += "<p>XSS: " + user_input + "</p>"

VulnpyPython/src/vulnpy/django/vulnerable.py

Line 38 in ebb466a

return HttpResponse(template)