[pitboss] phase 12: Track L.10 — Flask / Django / FastAPI / Starlette adapters

tests/dynamic_fixtures/python_frameworks/django/benign.py

@@ -0,0 +1,22 @@
+"""Phase 12 (Track L.10) — Django CMDI benign fixture.
+
+`run_cmd(request)` reads `request.GET["cmd"]` but rejects anything
+outside an allowlist before invoking `subprocess.run` with a fixed
+argv, so the sink call is unreachable for attacker-controlled values.
+"""
+import subprocess
+from django.http import HttpResponse
+from django.urls import path
+
+_ALLOW = {"status", "uptime", "version"}
+
+
+def run_cmd(request):
+    cmd = request.GET.get("cmd", "")
+    if cmd not in _ALLOW:
+        return HttpResponse("rejected", status=400)
+    subprocess.run(["/usr/bin/echo", cmd], check=False)
+    return HttpResponse("ok")
+
+
+urlpatterns = [path("run/", run_cmd)]

tests/dynamic_fixtures/python_frameworks/django/vuln.py

@@ -0,0 +1,18 @@
+"""Phase 12 (Track L.10) — Django CMDI vuln fixture.
+
+`run_cmd(request)` reads `request.GET["cmd"]` and pipes it straight to
+`os.system`.  Adapter binding: `path("run/", run_cmd)` registration with
+`cmd` flowing through `request.GET`.
+"""
+import os
+from django.http import HttpResponse
+from django.urls import path
+
+
+def run_cmd(request):
+    cmd = request.GET.get("cmd", "")
+    os.system(cmd)
+    return HttpResponse("ok")
+
+
+urlpatterns = [path("run/", run_cmd)]