Add trailing slash option to aiohttp routes and general updates

Contrast-Security-OSS · Jul 14, 2023 · 1d06760 · 1d06760
1 parent 325c270
commit 1d06760
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 25 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -8,23 +8,23 @@ concurrency:
 
 jobs:
   black:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: '3.11'
       - run: pip install tox
       - name: Run black
         run: tox -e black
 
   flake8:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: '3.11'
       - run: pip install tox
       - name: Run flake8
         run: tox -e flake8
@@ -33,46 +33,46 @@ jobs:
     needs:
       - black
       - flake8
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.7, 3.8, 3.9]
+        python-version: ['3.7', '3.8', '3.9', '3.10', '3.11']
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: |
-          sudo apt-get update && sudo apt-get install libxml2-dev libxslt-dev python-dev
+          sudo apt-get update && sudo apt-get install libxml2-dev libxslt-dev
           python -m pip install --upgrade pip
           pip install tox
       - name: Run unit tests
         env:
           TOX_COV_SUFFIX: py${{ matrix.python-version }}
         run: tox -e pytest
       - name: Upload coverage
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           path: .coverage.py${{ matrix.python-version }}
 
   coverage:
     needs: test
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: '3.7'
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install coverage
       - name: Download coverage results
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
       - name: Compute coverage
         run: |
           coverage combine artifact/
-          coverage report -i -m --fail-under=100
+          coverage report -i -m --fail-under=100
diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 HOST ?= localhost
 PORT ?= 8000
 UWSGI_OPTIONS := --enable-threads --single-interpreter --master --lazy-apps --http $(HOST):$(PORT) --honour-stdin
-GUNICORN_OPTIONS := --timeout=0 --preload -b $(HOST):$(PORT)
+GUNICORN_OPTIONS := --timeout=0 -b $(HOST):$(PORT)
 
 export VULNPY_REAL_SSRF_REQUESTS = true
 

diff --git a/setup.py b/setup.py
@@ -70,6 +70,8 @@
         "Programming Language :: Python :: 3.7",
         "Programming Language :: Python :: 3.8",
         "Programming Language :: Python :: 3.9",
+        "Programming Language :: Python :: 3.10",
+        "Programming Language :: Python :: 3.11",
     ],
     keywords="security testing",
     author="Contrast Security, Inc.",

diff --git a/src/vulnpy/aiohttp/vulnerable_routes.py b/src/vulnpy/aiohttp/vulnerable_routes.py
@@ -69,6 +69,7 @@ def generate_trigger_urls():
 
             setattr(view_func, "__name__", view_name)
             trigger_urls.append(web.get(view_name, view_func))
+            trigger_urls.append(web.get(view_name + "/", view_func))
 
     return trigger_urls
 

diff --git a/src/vulnpy/falcon/vulnerable.py b/src/vulnpy/falcon/vulnerable.py
@@ -62,7 +62,6 @@ def find_base_class(name):
 
 
 def get_trigger_view(name, trigger):
-
     baseclass = find_base_class(name)
 
     class _View(baseclass):

diff --git a/src/vulnpy/falcon/vulnerable_asgi.py b/src/vulnpy/falcon/vulnerable_asgi.py
@@ -62,7 +62,6 @@ def find_base_class(name):
 
 
 def get_trigger_view(name, trigger):
-
     baseclass = find_base_class(name)
 
     class _View(baseclass):

diff --git a/tests/flask/test_blueprint.py b/tests/flask/test_blueprint.py
@@ -32,7 +32,8 @@ def test_trigger(client, request_method, view_name, trigger_name):
         data = "'{}'".format(data)
 
     response = get_or_post(
-        "/vulnpy/{}/{}/?user_input={}".format(view_name, trigger_name, data),
+        "/vulnpy/{}/{}/".format(view_name, trigger_name),
+        query_string={"user_input": data},
         data={"user_input": data},
     )
     assert response.status_code == 200

diff --git a/tox.ini b/tox.ini
@@ -7,7 +7,7 @@ envlist =
 [testenv:black]
 skip_install = True
 deps =
-    black==22.3.0
+    black==23.7.0
 commands =
     black --check .