-
Notifications
You must be signed in to change notification settings - Fork 265
Expand file tree
/
Copy pathvulnerable_deserialization.py
More file actions
56 lines (39 loc) · 1.24 KB
/
vulnerable_deserialization.py
File metadata and controls
56 lines (39 loc) · 1.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import pickle
import yaml
import marshal
from flask import Flask, request
app = Flask(__name__)
@app.route('/load', methods=['POST'])
def load_data():
data = request.data
obj = pickle.loads(data)
return str(obj)
@app.route('/session', methods=['POST'])
def restore_session():
session_data = request.form.get('session')
session = pickle.loads(session_data.encode())
return f"Session restored: {session}"
def load_config(config_data):
config = yaml.load(config_data)
return config
def deserialize_object(serialized):
return pickle.loads(serialized)
def load_user_preferences(pref_string):
prefs = marshal.loads(pref_string)
return prefs
@app.route('/import', methods=['POST'])
def import_data():
import_file = request.files['file']
content = import_file.read()
data = pickle.loads(content)
return f"Imported: {data}"
def process_yaml(yaml_content):
parsed = yaml.load(yaml_content, Loader=yaml.Loader)
return parsed
class DataProcessor:
def load_from_bytes(self, byte_data):
return pickle.loads(byte_data)
def restore_state(self, state_data):
self.__dict__ = pickle.loads(state_data)
if __name__ == '__main__':
app.run(debug=True)