shiftleft-python-demo/flask_webgoat/ui.py at e2635d5c61c4e1edb075d3cc75cd63eb6cf4070f · ShiftLeftSecurity/shiftleft-python-demo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import sqlite3

from flask import Blueprint, request, render_template
from . import query_db

bp = Blueprint("ui", __name__)


@bp.route("/search")
def search():
    query_param = request.args.get("query")
    if query_param is None:
        message = "please provide the query parameter"
        return render_template("error.html", message=message)

    try:
        query = "SELECT username, access_level FROM user WHERE username LIKE ?;"
        results = query_db(query, (query_param,))
        # vulnerability: XSS
        return render_template(
            "search.html", results=results, num_results=len(results), query=query_param
        )
    except sqlite3.Error as err:
        message = "Error while executing query " + query_param + ": " + err
        return render_template("error.html", message=message)