mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
21 lines
583 B
Python
21 lines
583 B
Python
# Phase 04 fixture: sink in a helper function called only from a Flask
|
|
# route handler. The callgraph-aware spec-derivation path must rewrite
|
|
# the harness entry to the route handler `run_command` (entry-point
|
|
# ancestor with `entry_kind = FlaskRoute`), not the helper `_execute`
|
|
# where the sink physically lives.
|
|
|
|
from flask import Flask, request
|
|
|
|
app = Flask(__name__)
|
|
|
|
|
|
def _execute(cmd):
|
|
import os
|
|
os.system(cmd) # sink: command injection
|
|
|
|
|
|
@app.route("/run", methods=["POST"])
|
|
def run_command():
|
|
cmd = request.form.get("cmd", "")
|
|
_execute(cmd)
|
|
return "ok"
|