Skip to content

Fix SQL injection vulnerability in auth.py using parameterized queries #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
studentsca023-rgb merged 1 commit into from
Mar 17, 2026
Merged

Fix SQL injection vulnerability in auth.py using parameterized queries #10

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 11 additions & 7 deletions flask_webgoat/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
from urllib.parse import urlparse
from flask import Blueprint, request, jsonify, session, redirect
from . import query_db


def is_safe_url(url):
"""Check if URL is safe for redirect (relative URL only)."""
parsed = urlparse(url)
return not parsed.netloc and not parsed.scheme

bp = Blueprint("auth", __name__)


Expand All @@ -14,12 +21,8 @@ def login():
400,
)

# vulnerability: SQL Injection
query = (
"SELECT id, username, access_level FROM user WHERE username = '%s' AND password = '%s'"
% (username, password)
)
result = query_db(query, [], True)
query = "SELECT id, username, access_level FROM user WHERE username = ? AND password = ?"
result = query_db(query, (username, password), True)
if result is None:
return jsonify({"bad_login": True}), 400
session["user_info"] = (result[0], result[1], result[2])
Expand All @@ -42,7 +45,8 @@ def login_and_redirect():
query = "SELECT id, username, access_level FROM user WHERE username = ? AND password = ?"
result = query_db(query, (username, password), True)
if result is None:
# vulnerability: Open Redirect
if not is_safe_url(url):
return jsonify({"error": "Invalid redirect URL"}), 400
return redirect(url)
session["user_info"] = (result[0], result[1], result[2])
return jsonify({"success": True})
Loading