CIzz22
/
be-lcca
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Compile XSS and SQLi string patterns into regex objects.

Browse Source
rest-api
MrWaradana 1 month ago
parent 67342b463c
commit 0c4e62a761
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File

3
src/middleware.py
Unescape Escape View File

@ -20,8 +20,11 @@ MAX_JSON_BODY_SIZE = 1024 * 100 # 100 KB
# Very targeted patterns. Avoid catastrophic regex nonsense. # Very targeted patterns. Avoid catastrophic regex nonsense.
XSS_PATTERN_STR = r"(<script|</script|javascript:|onerror\s*=|onload\s*=|<svg|<img)" XSS_PATTERN_STR = r"(<script|</script|javascript:|onerror\s*=|onload\s*=|<svg|<img)"
XSS_PATTERN = re.compile(XSS_PATTERN_STR, re.IGNORECASE)
SQLI_PATTERN_STR = r"(\bUNION\b|\bSELECT\b|\bINSERT\b|\bDELETE\b|\bDROP\b|--|\bOR\b\s+1=1)" SQLI_PATTERN_STR = r"(\bUNION\b|\bSELECT\b|\bINSERT\b|\bDELETE\b|\bDROP\b|--|\bOR\b\s+1=1)"
SQLI_PATTERN = re.compile(SQLI_PATTERN_STR, re.IGNORECASE)
# JSON prototype pollution keys # JSON prototype pollution keys
FORBIDDEN_JSON_KEYS = {"__proto__", "constructor", "prototype"} FORBIDDEN_JSON_KEYS = {"__proto__", "constructor", "prototype"}

Write Preview
Loading…
Cancel
Save