From 31165ebadada6a18e68288756409e625d7eef569 Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Fri, 5 Jul 2019 18:07:24 -0500 Subject: [PATCH 1/2] create requirements.txt, add Flask, create a minimal package --- README.md | 15 +++++++++++++-- marketplace/__init__.py | 7 +++++++ requirements.txt | 1 + 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 marketplace/__init__.py create mode 100644 requirements.txt diff --git a/README.md b/README.md index 07f59ae..4b5ca36 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,17 @@ # Secure Coding with Python. +## Chapter 1: Project Bootstrap +### Requirement +To start with our development, we install Flask, create our requirements.txt with it and create the `marketplace` package, with a minimal Flask app in `__init__.py`. We can run the project with `python -m flask run` to see that it loads correctly. + +### Vulnerability +Since we have done some Flask work in the past, we copied over a requirements.txt and installed Flask from it. The version in said file was Flask 0.12. At the date of the development, the latest Flask release is 1.0.3 + +Since Flask 0.12 the following security releases had been issued: +* [0.12.3](https://github.com/pallets/flask/releases/tag/0.12.3): CWE-20: Improper Input Validation on JSON decoding. + +Given that we used an old version that's vulnerable to all of the above, our application, by definition is vulnerable if we make use of the affected functionallity. + ## Description Welcome to the Secure coding with python course. In this repository you will find a series of branches for each step of the development of a sample marketplace application. In such a development, we will be making security mistakes and introducing vulnerabilities, we will add tests for them and finally fixing them. @@ -7,8 +19,7 @@ The branches will have the following naming scheme for easier navigation: {Chapt For this course we will be using Python3, Flask and PostgreSQL. - -**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/code)** +**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/test)** ## Index ### 1. Vulnerable Components diff --git a/marketplace/__init__.py b/marketplace/__init__.py new file mode 100644 index 0000000..1b4f4af --- /dev/null +++ b/marketplace/__init__.py @@ -0,0 +1,7 @@ +from flask import Flask + +app = Flask(__name__) + +@app.route('/') +def hello(): + return 'Hello, World!' \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..4be7437 --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +Flask==0.12 \ No newline at end of file From 5793b99e0a425c07437f878cb27e2c3dd2338488 Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Tue, 20 Aug 2019 21:36:56 -0500 Subject: [PATCH 2/2] Include pip installation command and clarify instructions a bit --- README.md | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 353212c..d29b226 100644 --- a/README.md +++ b/README.md @@ -2,26 +2,25 @@ ## Chapter 1: Project Bootstrap ### Requirement -To start with our development, we install Flask, create our requirements.txt with it and create the `marketplace` package, with a minimal Flask app in `__init__.py`. We can run the project with `python -m flask run` to see that it loads correctly. +To start with our development, we copy over a `requirements.txt` file we had from a previous project and install +Flash from it. + +```bash +> pip install -r requirements.txt +``` + +Then we create the `marketplace` package, with a minimal Flask app in `__init__.py`. We can run the project with +`python -m flask run` to see that it loads correctly going with our browser to `http://127.0.0.1:5000/`. ### Vulnerability -Since we have done some Flask work in the past, we copied over a requirements.txt and installed Flask from it. The version in said file was Flask 0.12. At the date of the development, the latest Flask release is 1.0.3 +Since we copied over a `requirements.txt` and installed Flask from it, we have a very old Flask version. The +version in said file was Flask 0.12. At the date of the development, the latest Flask release is 1.0.3 Since Flask 0.12 the following security releases had been issued: * [0.12.3](https://github.com/pallets/flask/releases/tag/0.12.3): CWE-20: Improper Input Validation on JSON decoding. -Given that we used an old version that's vulnerable to all of the above, our application, by definition is vulnerable if we make use of the affected functionallity. - -## Description -Welcome to the Secure coding with python course. In this repository you will find a series of branches for each step -of the development of a sample marketplace application. In such a development, we will be making security mistakes and -introducing vulnerabilities, we will add tests for them and finally fixing them. - -The branches will have the following naming scheme for easier navigation: -{Chapter number}-{Chapter Name}/{code|test|fix}. I encourage you to follow the chapters in order, but you can also -skip to the specific one you wish to review. - -For this course we will be using Python3, Flask and PostgreSQL. +Given that we used an old version that's vulnerable to all of the above, our application, by definition is vulnerable +if we make use of the affected functionallity. **Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/test)**