From 74a8aae65fce37ed8b51cb1626f35afdd1c61bd7 Mon Sep 17 00:00:00 2001 From: Jeffrey Huynh Date: Mon, 22 Apr 2024 14:23:23 -0700 Subject: [PATCH 1/2] create python reachability examples --- .../vulnerable-function-not-used/README.md | 3 +++ .../vulnerable-function-not-used/main.py | 13 +++++++++++++ .../requirements.txt | 18 ++++++++++++++++++ .../vulnerable-function-not-used/setup.py | 11 +++++++++++ .../python/vulnerable-function-used/README.md | 3 +++ .../python/vulnerable-function-used/main.py | 0 .../vulnerable-function-used/requirements.txt | 18 ++++++++++++++++++ .../python/vulnerable-function-used/setup.py | 11 +++++++++++ 8 files changed, 77 insertions(+) create mode 100644 reachability/python/vulnerable-function-not-used/README.md create mode 100644 reachability/python/vulnerable-function-not-used/main.py create mode 100644 reachability/python/vulnerable-function-not-used/requirements.txt create mode 100644 reachability/python/vulnerable-function-not-used/setup.py create mode 100644 reachability/python/vulnerable-function-used/README.md create mode 100644 reachability/python/vulnerable-function-used/main.py create mode 100644 reachability/python/vulnerable-function-used/requirements.txt create mode 100644 reachability/python/vulnerable-function-used/setup.py diff --git a/reachability/python/vulnerable-function-not-used/README.md b/reachability/python/vulnerable-function-not-used/README.md new file mode 100644 index 0000000..bf2b214 --- /dev/null +++ b/reachability/python/vulnerable-function-not-used/README.md @@ -0,0 +1,3 @@ +## Vulnerable Example + +- CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-43810#range-9654740 \ No newline at end of file diff --git a/reachability/python/vulnerable-function-not-used/main.py b/reachability/python/vulnerable-function-not-used/main.py new file mode 100644 index 0000000..81fb3d2 --- /dev/null +++ b/reachability/python/vulnerable-function-not-used/main.py @@ -0,0 +1,13 @@ +from flask import Flask +from opentelemetry.instrumentation.flask import FlaskInstrumentor + +app = Flask(__name__) + +FlaskInstrumentor().instrument_app(app) # CVE-2023-43810 + +@app.route("/", methods=["UNKNOWN"]) +def hello(): + return "Hello!" + +if __name__ == "__main__": + app.run(debug=True) \ No newline at end of file diff --git a/reachability/python/vulnerable-function-not-used/requirements.txt b/reachability/python/vulnerable-function-not-used/requirements.txt new file mode 100644 index 0000000..31aeea8 --- /dev/null +++ b/reachability/python/vulnerable-function-not-used/requirements.txt @@ -0,0 +1,18 @@ +blinker==1.7.0 +click==8.1.7 +Deprecated==1.2.14 +Flask==3.0.3 +importlib-metadata==7.0.0 +itsdangerous==2.2.0 +Jinja2==3.1.3 +MarkupSafe==2.1.5 +opentelemetry-api==1.24.0 +opentelemetry-instrumentation==0.25b2 +opentelemetry-instrumentation-flask==0.25b2 +opentelemetry-instrumentation-wsgi==0.25b2 +opentelemetry-semantic-conventions==0.25b2 +opentelemetry-util-http==0.25b2 +setuptools==69.5.1 +Werkzeug==3.0.2 +wrapt==1.16.0 +zipp==3.18.1 \ No newline at end of file diff --git a/reachability/python/vulnerable-function-not-used/setup.py b/reachability/python/vulnerable-function-not-used/setup.py new file mode 100644 index 0000000..92a5ba6 --- /dev/null +++ b/reachability/python/vulnerable-function-not-used/setup.py @@ -0,0 +1,11 @@ +from setuptools import setup, find_packages + +with open('requirements.txt') as f: + requirements = f.read().splitlines() + +setup( + name='python-vuln-sample', + version='1.0.0', + packages=find_packages(), + install_requires=requirements, +) \ No newline at end of file diff --git a/reachability/python/vulnerable-function-used/README.md b/reachability/python/vulnerable-function-used/README.md new file mode 100644 index 0000000..bf2b214 --- /dev/null +++ b/reachability/python/vulnerable-function-used/README.md @@ -0,0 +1,3 @@ +## Vulnerable Example + +- CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-43810#range-9654740 \ No newline at end of file diff --git a/reachability/python/vulnerable-function-used/main.py b/reachability/python/vulnerable-function-used/main.py new file mode 100644 index 0000000..e69de29 diff --git a/reachability/python/vulnerable-function-used/requirements.txt b/reachability/python/vulnerable-function-used/requirements.txt new file mode 100644 index 0000000..31aeea8 --- /dev/null +++ b/reachability/python/vulnerable-function-used/requirements.txt @@ -0,0 +1,18 @@ +blinker==1.7.0 +click==8.1.7 +Deprecated==1.2.14 +Flask==3.0.3 +importlib-metadata==7.0.0 +itsdangerous==2.2.0 +Jinja2==3.1.3 +MarkupSafe==2.1.5 +opentelemetry-api==1.24.0 +opentelemetry-instrumentation==0.25b2 +opentelemetry-instrumentation-flask==0.25b2 +opentelemetry-instrumentation-wsgi==0.25b2 +opentelemetry-semantic-conventions==0.25b2 +opentelemetry-util-http==0.25b2 +setuptools==69.5.1 +Werkzeug==3.0.2 +wrapt==1.16.0 +zipp==3.18.1 \ No newline at end of file diff --git a/reachability/python/vulnerable-function-used/setup.py b/reachability/python/vulnerable-function-used/setup.py new file mode 100644 index 0000000..92a5ba6 --- /dev/null +++ b/reachability/python/vulnerable-function-used/setup.py @@ -0,0 +1,11 @@ +from setuptools import setup, find_packages + +with open('requirements.txt') as f: + requirements = f.read().splitlines() + +setup( + name='python-vuln-sample', + version='1.0.0', + packages=find_packages(), + install_requires=requirements, +) \ No newline at end of file From 65983d24562cafc9323099a2e150c0aa06ec2b75 Mon Sep 17 00:00:00 2001 From: Jeffrey Huynh Date: Mon, 22 Apr 2024 14:30:00 -0700 Subject: [PATCH 2/2] update non-used function --- reachability/python/vulnerable-function-not-used/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reachability/python/vulnerable-function-not-used/main.py b/reachability/python/vulnerable-function-not-used/main.py index 81fb3d2..5eb3434 100644 --- a/reachability/python/vulnerable-function-not-used/main.py +++ b/reachability/python/vulnerable-function-not-used/main.py @@ -3,7 +3,7 @@ app = Flask(__name__) -FlaskInstrumentor().instrument_app(app) # CVE-2023-43810 +# FlaskInstrumentor().instrument_app(app) @app.route("/", methods=["UNKNOWN"]) def hello():