Python sanitize示例

示例#1

    def login(self, auth_header):

        if auth_header is None or auth_header.get(
                'username') is None or auth_header.get('password') is None:
            raise MissingAuthHeaderException

        # mutate the existing query for nosql attacks
        query = {'name': auth_header['username']}
        sanitizer.sanitize(query)

        user = self.users_collection.find_one(query)
        if not user:
            raise UnrecognisedUserException

        if check_password_hash(user['password'], auth_header['password']):
            token = self.jwt.encode(
                {
                    'public_id':
                    str(user['_id']),
                    'exp':
                    datetime.datetime.utcnow() +
                    datetime.timedelta(minutes=10),
                    'key':
                    sha256_crypt.encrypt(
                        auth_header['password'], rounds=1000, salt='')[16:32]
                },
                self.private_key,
                algorithm='RS256')
            return token.decode('UTF-8')

        raise WrongPasswordException

示例#2

def submit_vote_to_db(request):
    response = {'success': False}
    import json
    if request.is_ajax():
        if request.method == 'POST':
            print request.body
            response['success'] = True
            jbody = json.loads(request.body)
            print jbody

            # sanitze the vote object before using it in the mongo update() function
            from mongosanitizer.sanitizer import sanitize
            sanitize(jbody)

            # hash/encrypt the voter id before using it in the mongo update() functions
            import hashlib
            email = str(jbody['voter_id'])
            hashed_email_object = hashlib.md5(email.encode())
            jbody['voter_id'] = hashed_email_object.hexdigest()




            # add vote to mongdb
            from mongo import Mongo
            mongo = Mongo()
            collection_q = mongo.connect(host, port, db, collection_questions_responses)
            query = {}
            #  relaease this to append the vote to its correct concept
            query['ConceptId'] = jbody['concept_id'] #1
            push = {}
            push['$push'] = {}
            push['$push']['votes'] = jbody
            collection_q.update(
                query,
                push
            )

            # add voted tasks to users collections
            collection_u = mongo.connect(host, port, db, collection_users)
            query_ = {}
            query_['UserID'] = jbody['voter_id']
            push_set = {}
            push_set['$push'] = {}
            push_set['$push']['voted_concepts_list'] = jbody['concept_id']
            push_set['$push']['voted_cursor_list'] = jbody['voter_survey_cursor']
            push_set['$push']['voting_dates'] = jbody['vote_date']
            push_set['$set'] = {}
            push_set['$set']['last_vote_date'] = jbody['vote_date']

            collection_u.update(
                query_,
                push_set,
                upsert=True
            )

    from django.http import JsonResponse
    print JsonResponse(response)
    return HttpResponse(json.dumps(response), content_type="application/json")

示例#3

    def is_whitelisted_user(self, username):
        # mutate the existing query for nosql attacks
        query = {'name': username}
        sanitizer.sanitize(query)

        if not self.whitelisted_users.find_one(query):
            return False

        return True

示例#4

文件： credentials_service.py 项目： Amr-Eldfrawy/password_manager

    def delete_email_and_read_all(self, user_id, email_to_delete):
        # mutate the existing query for nosql attacks
        query = {'_id': user_id}
        sanitizer.sanitize(query)

        return self.credentials_collection.find_one_and_update(
            query, {'$pull': {
                'credentials': {
                    'email': email_to_delete,
                }
            }},
            upsert=True,
            return_document=ReturnDocument.AFTER)

示例#5

def get_voted_tasks_from_mongodb(request, userid):
    from mongo import Mongo
    import copy, json
    print 'connecting to mongodb . . . '

    jresponse = {}
    # response['prev_tasks'] = []
    jresponse['voted_tasks_concepts'] = []
    jresponse['voted_tasks_cursors'] = []

    mongo = Mongo()
    collection = mongo.connect(host, port, db, collection_users)
    query = {}

    #  sanitze the userid before using it in the mongo find() function
    from mongosanitizer.sanitizer import sanitize
    sanitize(userid)

    # hash/encrypt user_id email before querying db to find match
    import hashlib
    email = userid
    hashed_email_object = hashlib.md5(email.encode())


    # prepare query
    query['UserID'] = hashed_email_object.hexdigest()
    cursor = collection.find(query, no_cursor_timeout=True)
    voted_tasks_concepts = []
    voted_tasks_cursors = []

    for item in cursor:
        # response['prev_tasks'].extend(copy.deepcopy(concept['votes']['voted_tasks']))
        print item['voted_concepts_list']
        print item['voted_cursor_list']
        jresponse['voted_tasks_concepts'].extend(copy.deepcopy(item['voted_concepts_list']))
        jresponse['voted_tasks_cursors'].extend(copy.deepcopy(item['voted_cursor_list']))

    # from django.http import JsonResponse
    # print response(JsonResponse(jresponse))
    # return response(JsonResponse(jresponse))
    response = HttpResponse(json.dumps(jresponse), content_type="application/json")
    # cookies set
    if not request.COOKIES.get('userid'):
        # response = HttpResponse()
        response.set_cookie('userid', userid, 3600 * 24 * 365)  # one year cookie
        # return response
    elif request.COOKIES.get('userid') != userid:
        response.set_cookie('userid', userid, 3600 * 24 * 365)  # one year cookie

    return response

示例#6

def connect_find():
    unsafe_search = request.args['search']
    json_search = json.loads(unsafe_search)
    safe_search = sanitize(json_search)

    db = me.connect('mydb')
    return db.movie.find({'name': safe_search})

示例#7

文件： credentials_service.py 项目： Amr-Eldfrawy/password_manager

    def add_credential_and_read_all(self, user_id, email, plain_password, key):
        # mutate the existing query for nosql attacks
        query = {'_id': user_id}
        sanitizer.sanitize(query)

        return self.credentials_collection.find_one_and_update(
            {'_id': user_id}, {
                '$push': {
                    'credentials': {
                        'email': email,
                        'password': key.encrypt(plain_password)
                    }
                }
            },
            upsert=True,
            return_document=ReturnDocument.AFTER)

示例#8

文件： credentials_service.py 项目： Amr-Eldfrawy/password_manager

    def user_has_email(self, user_id, email):
        # mutate the existing query for nosql attacks
        query = {'_id': user_id}
        sanitizer.sanitize(query)

        existing_credentials = self.credentials_collection.find_one(query)
        if existing_credentials is None or existing_credentials.get(
                'credentials') is None:
            return False

        # can be searched better
        for credential in existing_credentials['credentials']:
            if credential['email'] == email:
                return True

        return False

示例#9

    def register(self, name, password):
        # mutate the existing query for nosql attacks
        query = {'name': name}
        sanitizer.sanitize(query)

        # pbkdf2:sha256', salt_length=8
        if self.users_collection.find_one(
            {'name': name}) or self.is_whitelisted_user(name) is False:
            return False

        self.users_collection.insert_one({
            'name':
            name,
            'password':
            generate_password_hash(password)
        })

        return True

示例#10

文件： credentials_service.py 项目： Amr-Eldfrawy/password_manager

    def read_all_credentials(self, user_id):
        # mutate the existing query for nosql attacks
        query = {'_id': user_id}
        sanitizer.sanitize(query)

        return self.credentials_collection.find_one(query)

示例#11

文件： test_sanitizer.py 项目： noamt/python-mongo-sanitizer

def test_sanitize_second_level_dict():
    query = {'jim': {'$bob': 'jones'}}
    sanitize(query)
    assert '$bob' not in query['jim']

示例#12

文件： test_sanitizer.py 项目： noamt/python-mongo-sanitizer

def test_sanitize_a_third_level_dict_in_a_second_level_list():
    query = {'jim': [{'johnson': {'$bob': 'jones'}}]}
    sanitize(query)
    assert '$bob' not in query['jim'][0]['johnson']

示例#13

文件： test_sanitizer.py 项目： noamt/python-mongo-sanitizer

def test_sanitize_in_a_second_level_list():
    query = {'jim': [{'$bob': 'jones'}]}
    sanitize(query)
    assert '$bob' not in query['jim'][0]

示例#14

文件： flask_pymongo_good.py 项目： raulgarciamsft/ql

def home_page():
    unsafe_search = request.args['search']
    json_search = json.loads(unsafe_search)
    safe_search = sanitize(json_search)

    return mongo.db.user.find({'name': safe_search})

示例#15

文件： test_sanitizer.py 项目： noamt/python-mongo-sanitizer

def test_sanitize_first_level_key():
    query = {'$bob': 'alice'}
    sanitize(query)
    assert '$bob' not in query

示例#16

文件： pymongo_good.py 项目： tausbn/codeql

def home_page():
    unsafe_search = request.args['search']
    json_search = json.loads(unsafe_search)
    safe_search = sanitize(json_search)

    return client.db.collection.find_one({'data': safe_search})

示例#17

文件： flask_mongoengine_good.py 项目： raulgarciamsft/ql

def subclass_objects():
    unsafe_search = request.args['search']
    json_search = json.loads(unsafe_search)
    safe_search = sanitize(json_search)

    return Movie.objects(__raw__=safe_search)