mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
22 lines
657 B
Python
22 lines
657 B
Python
"""Phase 12 (Track L.10) — Django CMDI benign fixture.
|
|
|
|
`run_cmd(request)` reads `request.GET["cmd"]` but rejects anything
|
|
outside an allowlist before invoking `subprocess.run` with a fixed
|
|
argv, so the sink call is unreachable for attacker-controlled values.
|
|
"""
|
|
import subprocess
|
|
from django.http import HttpResponse
|
|
from django.urls import path
|
|
|
|
_ALLOW = {"status", "uptime", "version"}
|
|
|
|
|
|
def run_cmd(request):
|
|
cmd = request.GET.get("cmd", "")
|
|
if cmd not in _ALLOW:
|
|
return HttpResponse("rejected", status=400)
|
|
subprocess.run(["/usr/bin/echo", cmd], check=False)
|
|
return HttpResponse("ok")
|
|
|
|
|
|
urlpatterns = [path("run/", run_cmd)]
|