diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 08beb8f..382d6f9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,23 +8,23 @@ concurrency: jobs: black: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-python@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: '3.11' - run: pip install tox - name: Run black run: tox -e black flake8: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-python@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: '3.11' - run: pip install tox - name: Run flake8 run: tox -e flake8 @@ -33,20 +33,20 @@ jobs: needs: - black - flake8 - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest strategy: matrix: - python-version: [3.7, 3.8, 3.9] + python-version: ['3.7', '3.8', '3.9', '3.10', '3.11'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} - name: Install dependencies run: | - sudo apt-get update && sudo apt-get install libxml2-dev libxslt-dev python-dev + sudo apt-get update && sudo apt-get install libxml2-dev libxslt-dev python -m pip install --upgrade pip pip install tox - name: Run unit tests @@ -54,25 +54,25 @@ jobs: TOX_COV_SUFFIX: py${{ matrix.python-version }} run: tox -e pytest - name: Upload coverage - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: path: .coverage.py${{ matrix.python-version }} coverage: needs: test - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-python@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: '3.7' - name: Install dependencies run: | python -m pip install --upgrade pip pip install coverage - name: Download coverage results - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 - name: Compute coverage run: | coverage combine artifact/ - coverage report -i -m --fail-under=100 \ No newline at end of file + coverage report -i -m --fail-under=100 diff --git a/Makefile b/Makefile index 7d9b473..b998234 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ HOST ?= localhost PORT ?= 8000 UWSGI_OPTIONS := --enable-threads --single-interpreter --master --lazy-apps --http $(HOST):$(PORT) --honour-stdin -GUNICORN_OPTIONS := --timeout=0 --preload -b $(HOST):$(PORT) +GUNICORN_OPTIONS := --timeout=0 -b $(HOST):$(PORT) export VULNPY_REAL_SSRF_REQUESTS = true diff --git a/setup.py b/setup.py index a2d809c..89f1f04 100644 --- a/setup.py +++ b/setup.py @@ -70,6 +70,8 @@ "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", ], keywords="security testing", author="Contrast Security, Inc.", diff --git a/src/vulnpy/aiohttp/vulnerable_routes.py b/src/vulnpy/aiohttp/vulnerable_routes.py index 2775e66..bdf2668 100644 --- a/src/vulnpy/aiohttp/vulnerable_routes.py +++ b/src/vulnpy/aiohttp/vulnerable_routes.py @@ -69,6 +69,7 @@ def generate_trigger_urls(): setattr(view_func, "__name__", view_name) trigger_urls.append(web.get(view_name, view_func)) + trigger_urls.append(web.get(view_name + "/", view_func)) return trigger_urls diff --git a/src/vulnpy/falcon/vulnerable.py b/src/vulnpy/falcon/vulnerable.py index 8f5f8d9..c573aac 100644 --- a/src/vulnpy/falcon/vulnerable.py +++ b/src/vulnpy/falcon/vulnerable.py @@ -62,7 +62,6 @@ def find_base_class(name): def get_trigger_view(name, trigger): - baseclass = find_base_class(name) class _View(baseclass): diff --git a/src/vulnpy/falcon/vulnerable_asgi.py b/src/vulnpy/falcon/vulnerable_asgi.py index f88f944..54619f1 100644 --- a/src/vulnpy/falcon/vulnerable_asgi.py +++ b/src/vulnpy/falcon/vulnerable_asgi.py @@ -62,7 +62,6 @@ def find_base_class(name): def get_trigger_view(name, trigger): - baseclass = find_base_class(name) class _View(baseclass): diff --git a/tests/flask/test_blueprint.py b/tests/flask/test_blueprint.py index 80a39ba..b4fee47 100644 --- a/tests/flask/test_blueprint.py +++ b/tests/flask/test_blueprint.py @@ -32,7 +32,8 @@ def test_trigger(client, request_method, view_name, trigger_name): data = "'{}'".format(data) response = get_or_post( - "/vulnpy/{}/{}/?user_input={}".format(view_name, trigger_name, data), + "/vulnpy/{}/{}/".format(view_name, trigger_name), + query_string={"user_input": data}, data={"user_input": data}, ) assert response.status_code == 200 diff --git a/tox.ini b/tox.ini index f8641a5..130a908 100644 --- a/tox.ini +++ b/tox.ini @@ -7,7 +7,7 @@ envlist = [testenv:black] skip_install = True deps = - black==22.3.0 + black==23.7.0 commands = black --check .