[pitboss] phase 02: M2 — Python end-to-end excellence with all hardening baked in

tests/dynamic_fixtures/python/ssrf_positive.py

@@ -0,0 +1,16 @@
+"""SSRF — positive fixture.
+
+Vulnerable function: fetches a user-controlled URL.
+Expected verdict: Confirmed (file:// payload reads /etc/passwd → "root:").
+"""
+import urllib.request
+
+
+def fetch_url(url):
+    """Vulnerable: fetches URL provided by user without validation."""
+    try:
+        with urllib.request.urlopen(url, timeout=3) as resp:
+            content = resp.read().decode("utf-8", errors="replace")
+            print(content)
+    except Exception as e:
+        print(f"Fetch error: {e}", end="")