nyx/tests/dynamic_fixtures/python/django/vuln.py

"""Phase 12 — Django view, vulnerable.

Function-based view driven via `django.test.RequestFactory`.  The
harness configures a minimal Django settings module at runtime so the
view can be called without a project layout.
"""
import subprocess

from django.http import HttpResponse


def ping(request):
    """Vulnerable: query parameter flows to subprocess(shell=True)."""
    host = request.GET.get("host", "")
    result = subprocess.run(
        "ping -c 1 " + host,
        shell=True,
        capture_output=True,
        text=True,
        timeout=5,
    )
    return HttpResponse(result.stdout + result.stderr)
Dynamic (#77) 2026-06-05 10:16:30 -05:00			`"""Phase 12 — Django view, vulnerable.`

			Function-based view driven via `django.test.RequestFactory`. The
			`harness configures a minimal Django settings module at runtime so the`
			`view can be called without a project layout.`
			`"""`
			`import subprocess`

			`from django.http import HttpResponse`


			`def ping(request):`
			`"""Vulnerable: query parameter flows to subprocess(shell=True)."""`
			`host = request.GET.get("host", "")`
			`result = subprocess.run(`
			`"ping -c 1 " + host,`
			`shell=True,`
			`capture_output=True,`
			`text=True,`
			`timeout=5,`
			`)`
			`return HttpResponse(result.stdout + result.stderr)`