From fb55aa39701df8a28bea106ea7df199c3cb3af1b Mon Sep 17 00:00:00 2001 From: David Kerkeslager Date: Sat, 10 Sep 2016 12:07:55 -0400 Subject: [PATCH] Some examples of bad sanitizers --- bad_sanitizers/bad_sanitizers.py | 19 +++++++++++++++++++ bad_sanitizers/breaking_bad_sanitizers.py | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 bad_sanitizers/bad_sanitizers.py create mode 100644 bad_sanitizers/breaking_bad_sanitizers.py diff --git a/bad_sanitizers/bad_sanitizers.py b/bad_sanitizers/bad_sanitizers.py new file mode 100644 index 0000000..1297dd1 --- /dev/null +++ b/bad_sanitizers/bad_sanitizers.py @@ -0,0 +1,19 @@ +import re +import urllib.parse + +def sanitizer_1(source): + items_were_deleted = True + + while items_were_deleted: + start_length = len(source) + + source = ''.join(re.split(r'<\s*split\s*>', source)) + source = source[:50] + source = ''.join(source.split('"')) + + items_were_deleted = len(source) < start_length + + source = urllib.parse.unquote(source) + + return source + diff --git a/bad_sanitizers/breaking_bad_sanitizers.py b/bad_sanitizers/breaking_bad_sanitizers.py new file mode 100644 index 0000000..f850c0f --- /dev/null +++ b/bad_sanitizers/breaking_bad_sanitizers.py @@ -0,0 +1,19 @@ +import unittest +import urllib.parse + +import bad_sanitizers + +class TestBreakingStrings(unittest.TestCase): + def test_breaking_string_for_bad_sanitizer_1(self): + desired_result = '">' + + breaking_string = '%22>%3Cscript>alert(%22foo%22)' + + print(breaking_string) + + self.assertEqual( + bad_sanitizers.sanitizer_1(breaking_string), + desired_result, + ) + +unittest.main() -- 2.20.1