mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
11 lines
369 B
Python
11 lines
369 B
Python
# Phase 11 (Track J.9) — Python UNAUTHORIZED_ID vuln fixture.
|
|
#
|
|
# Looks up a record by `owner_id` without checking it against the
|
|
# authenticated caller; an attacker who supplies another user's id
|
|
# reads that user's record.
|
|
_STORE = {"alice": {"email": "alice@x"}, "bob": {"email": "bob@x"}}
|
|
_CALLER_ID = "alice"
|
|
|
|
|
|
def run(owner_id):
|
|
return _STORE.get(owner_id)
|