Dynamic (#77)

tests/dynamic_fixtures/python/flask/vuln.py

@@ -0,0 +1,25 @@
+"""Phase 12 — Flask route, vulnerable.
+
+Vulnerable route reads the `host` query parameter and concatenates it
+into a shell command.  Nyx harness reaches the route via
+`app.test_client()` so no real network listener is bound.
+"""
+import subprocess
+
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+@app.route("/ping", methods=["GET"])
+def ping():
+    """Vulnerable: untrusted query param flows to subprocess(shell=True)."""
+    host = request.args.get("host", "")
+    result = subprocess.run(
+        "ping -c 1 " + host,
+        shell=True,
+        capture_output=True,
+        text=True,
+        timeout=5,
+    )
+    return result.stdout + result.stderr