def admin()

in workshop/insecure-app/app.py [0:0]

• 28 lines of code
• 6 McCabe index (conditional complexity)

def admin():
    output = ''
    # SQL Injection?
    db = sqlite3.connect("tutorial.db")
    cursor = db.cursor()
    username = ''
    password = ''
    try:
        #the % is what makes it bad, instead of passing them in as parameters
        #Example Exploit: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1'
        cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password))
    except:
        pass
    if request.method == 'POST':
        if 'command' in request.form:
            cmd = request.form['command']
            process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
            stdout, stderr = process.communicate()
            if process.returncode == 0:
                output = stdout.decode('utf-8')
            else:
                output = f"Error (Exit Code: {process.returncode}):\n{stderr.decode('utf-8')}"
        elif 'file' in request.files:
            uploaded_file = request.files['file']
            uploaded_file.save(os.path.join('/uploads', uploaded_file.filename))
            output = f"File {uploaded_file.filename} uploaded successfully!"
        elif 'sql' in request.form:
            sql = request.form['sql']
            res = cursor.execute(sql)
            output = json.dumps(res.fetchall())


    return render_template_string("""