[pitboss] phase 12: Track L.10 — Flask / Django / FastAPI / Starlette adapters

tests/dynamic_fixtures/python_frameworks/flask/benign.py

@@ -0,0 +1,21 @@
+"""Phase 12 (Track L.10) — Flask CMDI benign fixture.
+
+The `/run` route accepts a `cmd` query parameter but rejects everything
+outside an allowlist before invoking `subprocess.run` with a fixed argv,
+so the sink call is unreachable for attacker-controlled values.
+"""
+import subprocess
+from flask import Flask, request
+
+app = Flask(__name__)
+
+_ALLOW = {"status", "uptime", "version"}
+
+
+@app.route("/run", methods=["GET"])
+def run_cmd():
+    cmd = request.args.get("cmd", "")
+    if cmd not in _ALLOW:
+        return "rejected", 400
+    subprocess.run(["/usr/bin/echo", cmd], check=False)
+    return "ok"

tests/dynamic_fixtures/python_frameworks/flask/vuln.py

@@ -0,0 +1,18 @@
+"""Phase 12 (Track L.10) — Flask CMDI vuln fixture.
+
+The `/run` route forwards a `cmd` query parameter straight into
+`os.system`, so any attacker who reaches the route can execute
+arbitrary shell.  Adapter binding: `@app.route("/run", methods=["GET"])`
+with `cmd` flowing through `request.args.get`.
+"""
+import os
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+@app.route("/run", methods=["GET"])
+def run_cmd():
+    cmd = request.args.get("cmd", "")
+    os.system(cmd)
+    return "ok"