I'm writing some python3 code using the ldap3 library and I'm trying to prevent LDAP-injection. The OWASP injection-prevention cheat sheet recommends using a safe/parameterized API(among other things). However, I can't find a safe API or safe method for composing search queries in the ldap3 docs. Most of the search queries in the docs use hard-coded strings, like this:
conn.search('dc=demo1,dc=freeipa,dc=org', '(objectclass=person)')
and I'm trying to avoid the need to compose queries in a manner similar to this:
conn.search(search, '(accAttrib=' + accName + ')')
Additionally, there seems to be no mention of 'injection' or 'escaping' or similar concepts in the docs. Does anyone know if this is missing in this library altogether or if there is a similar library for Python that provides a safe/parameterized API? Or has anyone encountered and solved this problem before?
A final point: I've seen the other StackOverflow questions that point out how to use whitelist validation or escaping as a way to prevent LDAP-injection and I plan to implement them. But I'd prefer to use all three methods if possible.
I was a little surprised that the documentation doesn't seem to mention this. However there is a utility function escape_filter_chars which I believe is what you are looking for:
from ldap3.utils import conv
attribute = conv.escape_filter_chars("bar)", encoding=None)
query = "(foo={0})".format(attribute)
conn.search(search, query)
I believe the best way to prevent LDAP injection in python3 is to use the Abstraction Layer.
Example code:
# First create a connection to ldap to use.
# I use a function that creates my connection (abstracted here)
conn = self.connect_to_ldap()
o = ObjectDef('groupOfUniqueNames', conn)
query = 'Common Name: %s' % cn
r = Reader(conn, o, 'dc=example,,dc=org', query)
r.search()
Notice how the query is abstracted? The query would error if someone tried to inject a search here. Also, this search is protected by a Reader instead of a Writer. The ldap3 documentation goes through all of this.
Related
I am accessing an Intersystems cache 2017.1.xx instance through a python process to get various attributes about the database in able to monitor the database.
One of the items I want to monitor is license usage. I wrote a objectscript script in a Terminal window to access license usage by user:
s Rset=##class(%ResultSet).%New("%SYSTEM.License.UserListAll")
s r=Rset.Execute()
s ncol=Rset.GetColumnCount()
While (Rset.Next()) {f i=1:1:ncol w !,Rset.GetData(i)}
But, I have been unable to determine how to convert this script into a Python equivalent. I am using the intersys.pythonbind3 import for connecting and accessing the cache instance. I have been able to create python functions that accessing most everything else in the instance but this one piece of data I can not figure out how to translate it to Python (3.7).
Following should work (based on the documentation):
query = intersys.pythonbind.query(database)
query.prepare_class("%SYSTEM.License","UserListAll")
query.execute();
# Fetch each row in the result set, and print the
# name and value of each column in a row:
while 1:
cols = query.fetch([None])
if len(cols) == 0: break
print str(cols[0])
Also, notice that InterSystems IRIS -- successor to the Caché now has Python as an embedded language. See more in the docs
Since the noted query "UserListAll" is not defined correctly in the library; not SqlProc. So to resolve this issue would require a ObjectScript with the query and the use of #Result set or similar in Python to get the results. So I am marking this as resolved.
Not sure which Python interface you're using for Cache/IRIS, but this Open Source 3rd party one is worth investigating for the kind of things you're trying to do:
https://github.com/chrisemunt/mg_python
I'm at the moment in the middle of writing my Bachelor thesis and for it creating a database system with Postgres and Flask.
To ensure the safety of my data, I was working on a file to prevent SQL injections, since a user should be able to submit a string via Http request. Since most of my functions which I use to analyze the Http request use Kwargs and a dict based on JSON in the request I was wondering if it is possible to inject python code into those kwargs.
And If so If there are ways to prevent that.
To make it easier to understand what I mean, here are some example requests and code:
def calc_sum(a, b):
c = a + b
return c
#app.route(/<target:string>/<value:string>)
def handle_request(target,value):
if target == 'calc_sum':
cmd = json.loads(value)
calc_sum(**cmd)
example Request:
Normal : localhost:5000/calc_sum/{"a":1, "b":2}
Injected : localhost:5000/calc_sum/{"a":1, "b:2 ): print("ham") def new_sum(a=1, b=2):return a+b":2 }
Since I'm not near my work, where all my code is I'm unable to test it out. And to be honest that my code example would work. But I hope this can convey what I meant.
I hope you can help me, or at least nudge me in the right direction. I've searched for it, but all I can find are tutorials on "who to use kwargs".
Best regards.
Yes you, but not in URL, try to use arguments like these localhost:5000/calc_sum?func=a+b&a=1&b=2
and to get these arguments you need to do this in flask
#app.route(/<target:string>)
def handle_request(target):
if target == 'calc_sum':
func= request.args.get('func')
a = request.args.get('a')
b = request.args.get('b')
result = exec(func)
exec is used to execute python code in strings
I am consuming a SOAP webservice with suds (0.4). The WSDL I am using throws an error
>>> import uuid
>>> from suds.client import Client
>>> wsdl = 'https://toolkit.dnb.com/locked/resource/docs/TransactionAndMessageDefinition/ProductList.wsdl'
>>> client = Client(wsdl)
The service I am consuming expects one parameter productListRequest, which is a complex type where you put UserId, Password and a complex type of ProductListInput.
I fill these with:
>>> productListRequest = client.factory.create('productListRequest')
>>> productListRequest.UserId = 'myusername'
>>> productListRequest.Password = 'mypassword'
>>> productListRequest.TRNUID = uuid.uuid4()
>>> ProductListInput = client.factory.create('ProductListInput')
>>> ProductListInput.DnB_DUNS_Number = ''
>>> ProductListInput.Product = 'Product Name'
>>> ProductListInput.CountryCode = 'IT'
>>> ProductListInput.TradeUp = ''
>>> ProductListInput.Reason = ''
>>> productListRequest.ProductListInput = ProductListInput
But whenever I am calling the service:
>>> print client.service.ws_ProductList(productListRequest)
I get Type not found: 'ArrayOfUPD_FLDSItem'
I am really stuck here. I have googled this error for 2 days and honestly I do not know what to do! Maybe someone with a deeper understanding of WSDL and suds can help.
So my questions:
Is this WSDL, which I am consuming proper defined? (If it is proper defined, I will report it to the suds
maintainers)
If this WSDL is not proper defined, is there a workaround (e.g.
suds schema doctor) to fix it on suds site?
Is there a alternative Python library, which I should use?
Suds is currently the best choice for WSDL consumption in Python. Unfortunately WSDL itself is such a complex mess that making good out of it is difficult.
Luckily Suds come with extensive logging capabilities which you can use to debug the problem and this is the first step of solving it. This earlier question answers how to enable it:
How can I output what SUDs is generating/receiving?
However, giving a complete answer for the type error would require seeing extensive logging output and/or source code, so I suggest you somehow try to narrow down the problem. To make the problem ultimately solvable a sample (non-working) schema and Python code would be nice.
(The error might hint that there is some subschema / external schema defined / missing which Suds cannot load for reason X)
At first:
It does not make sense to call the product list without a DUNS-Number. The transaction gives all avaliable products to a given DUNS. If the DUNS number is left empty, you will only get a field list of the product you stated (assuming you put a valid product name into your call, not "product name").
BUT:
Even by putting all parameters in, I ran into the same problem and was not able to solve it, either.
Check with DnB and make them correct the WSDL - their WSDLs are quite buggy: Note that they have simply forgotten a whole transaction in the WSDL implementation (prodOrderRequest_3 for retrieving data from the toolkit archive)
My solution is to use the XML-Version of the Toolkit for this and the other mentioned transaction. Unfortunately.
I have several devices on a network. I am trying to use a library to discover the presence and itentity of these devices using Python script, the devices all have a web service. My question is, are there any modules that would help me with this problem as the only module I have found is ws-discovery for Python?
And if this is the only module does anyone have any example Python script using ws-discovery?
Thanks for any help.
Unfortunately I've never used ws-discovery myself, but there seems to be a Python project which implements it:
https://pypi.org/project/WSDiscovery/
From their documentation here's a short example on how to use it:
wsd = WSDiscovery()
wsd.start()
ttype = QName("abc", "def")
ttype1 = QName("namespace", "myTestService")
scope1 = Scope("http://myscope")
ttype2 = QName("namespace", "myOtherTestService_type1")
scope2 = Scope("http://other_scope")
xAddr = "localhost:8080/abc"
wsd.publishService(types=[ttype], scopes=[scope2], xAddrs=[xAddr])
ret = wsd.searchServices()
for service in ret:
print service.getEPR() + ":" + service.getXAddrs()[0]
wsd.stop()
Are you tied to ws-discovery? If not, you might want to consider the Bonjour protocol, aka ZeroConf and DNS-SD. The protocol is relatively widely implemented. I've never used python to do the advertising or discovery but there is a project that implements an API: http://code.google.com/p/pybonjour/
As I said, I have no direct experience with this project and merely point it out as an alternative to ws-discovery.
I'm slowly building a web browser in PyQt4 and like the speed i'm getting out of it. However, I want to combine easylist.txt with it. I believe adblock uses this to block http requests by the browser.
How would you go about it using python/PyQt4?
[edit1] Ok. I think i've setup Privoxy. I haven't setup any additional filters and it seems to work. The PyQt4 i've tried to use looks like this
self.proxyIP = "127.0.0.1"
self.proxyPORT= 8118
proxy = QNetworkProxy()
proxy.setType(QNetworkProxy.HttpProxy)
proxy.setHostName(self.proxyIP)
proxy.setPort(self.proxyPORT)
QNetworkProxy.setApplicationProxy(proxy)
However, this does absolutely nothing and I cannot make sense of the docs and can not find any examples.
[edit2] I've just noticed that i'f I change self.proxyIP to my actual local IP rather than 127.0.0.1 the page doesn't load. So something is happening.
I know this is an old question, but I thought I'd try giving an answer for anyone who happens to stumble upon it. You could create a subclass of QNetworkAccessManager and combine it with https://github.com/atereshkin/abpy. Something kind of like this:
from PyQt4.QtNetwork import QNetworkAccessManager
from abpy import Filter
adblockFilter = Filter(file("easylist.txt"))
class MyNetworkAccessManager(QNetworkAccessManager):
def createRequest(self, op, request, device=None):
url = request.url().toString()
doFilter = adblockFilter.match(url)
if doFilter:
return QNetworkAccessManager.createRequest(self, self.GetOperation, QNetworkRequest(QUrl()))
else:
QNetworkAccessManager.createRequest(self, op, request, device)
myNetworkAccessManager = MyNetworkAccessManager()
After that, set the following on all your QWebView instances, or make a subclass of QWebView:
QWebView.page().setNetworkAccessManager(myNetworkAccessManager)
Hope this helps!
Is this question about web filtering?
Then try use some of external web-proxy, for sample Privoxy (http://en.wikipedia.org/wiki/Privoxy).
The easylist.txt file is simply plain text, as demonstrated here: http://adblockplus.mozdev.org/easylist/easylist.txt
lines beginning with [ and also ! appear to be comments, so it is simply a case of sorting through the file, and searching for the correct things in the url/request depending upon the starting character of the line in the easylist.txt file.
Privoxy is solid. If you want it to be completely API based though, check out the BrightCloud web filtering API as well.