Chapter 1: Vulnerable components - code

README.md

@@ -1,31 +1,28 @@
 # Secure Coding with Python.
 
-## Description
-Welcome to the Secure coding with python course. In this repository you will find a series of branches for each step
-of the development of a sample marketplace application. In such a development, we will be making security mistakes and 
-introducing vulnerabilities, we will add tests for them and finally fixing them.
+## Chapter 1: Project Bootstrap
+### Requirement
+To start with our development, we copy over a `requirements.txt` file we had from a previous project and install
+Flash from it.
 
-The branches will have the following naming scheme for easier navigation: 
-{Chapter number}-{Chapter Name}/{code|test|fix}. I encourage you to follow the chapters in order, but you can also 
-skip to the specific one you wish to review. 
+```bash
+> pip install -r requirements.txt
+```
 
-For this course we will be using Python3, Flask and PostgreSQL.
+Then we  create the `marketplace` package, with a minimal Flask app in `__init__.py`. We can run the project with
+`python -m flask run` to see that it loads correctly going with our browser to `http://127.0.0.1:5000/`.
 
-## Preparing the environment
-In order to run the code we will set up a virtual environment using [pyenv](https://github.com/pyenv/pyenv) and 
-[pyenv-virtualenv](https://github.com/pyenv/pyenv-virtualenv). Please refer to each repo for installation instructions.
+### Vulnerability
+Since we copied over a `requirements.txt` and installed Flask from it, we have a very old Flask version. The 
+version in said file was Flask 0.12. At the date of the development, the latest Flask release is 1.0.3
 
-We create our environment with:
-```bash
-> pyenv virtualenv 3.7.4 sec-coding-marketplace
-```
+Since Flask 0.12 the following security releases had been issued:
+* [0.12.3](https://github.com/pallets/flask/releases/tag/0.12.3): CWE-20: Improper Input Validation on JSON decoding.
 
-and we enable it with:
-```bash
-> pyenv shell sec-coding-marketplace
-```
+Given that we used an old version that's vulnerable to all of the above, our application, by definition is vulnerable 
+if we make use of the affected functionallity.
 
-**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/code)** 
+**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/test)**
 
 ## Index
 ### 1. Vulnerable Components

marketplace/__init__.py

@@ -0,0 +1,7 @@
+from flask import Flask
+
+app = Flask(__name__)
+
+@app.route('/')
+def hello():
+    return 'Hello, World!'

requirements.txt

@@ -0,0 +1 @@
+Flask==0.12