From 8a68a67bb8a8bd1ae4a1d5758dc54d6d87e793c2 Mon Sep 17 00:00:00 2001 From: ebakrra Date: Thu, 14 Mar 2024 16:43:30 +0000 Subject: [PATCH] CWE-838 --- CWE-707/CWE-838/compliant01.py | 25 +++++++++++++++++++++++++ CWE-707/CWE-838/noncompliant01.py | 12 ++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 CWE-707/CWE-838/compliant01.py create mode 100644 CWE-707/CWE-838/noncompliant01.py diff --git a/CWE-707/CWE-838/compliant01.py b/CWE-707/CWE-838/compliant01.py new file mode 100644 index 0000000..92809c9 --- /dev/null +++ b/CWE-707/CWE-838/compliant01.py @@ -0,0 +1,25 @@ +"""Compliant Code Example""" + +import base64 + + +def report_record_attack(stream: bytearray): + try: + decoded_text = stream.decode("utf-8") + except UnicodeDecodeError as e: + # Encode the stream using Base64 if there is an exception + encoded_payload = base64.b64encode(stream).decode("utf-8") + # Logging encoded payload for forensic analysis + print("Base64 Encoded Payload for Forensic Analysis:", encoded_payload) + print("Error decoding payload:", e) + else: + print("Important text:", decoded_text) + + +##################### +# attempting to exploit above code example +##################### +payload = bytearray("user: 毛泽东先生 attempted a directory traversal".encode("utf-8")) +# Introducing an error in the encoded text, a byte +payload[3] = 128 +report_record_attack(payload) \ No newline at end of file diff --git a/CWE-707/CWE-838/noncompliant01.py b/CWE-707/CWE-838/noncompliant01.py new file mode 100644 index 0000000..31143e6 --- /dev/null +++ b/CWE-707/CWE-838/noncompliant01.py @@ -0,0 +1,12 @@ +""" Non-compliant Code Example """ + +def report_record_attack(stream: bytearray): + print("important text:", stream.decode("utf-8")) + +##################### +# attempting to exploit above code example +##################### +payload = bytearray("user: 毛泽东先生 attempted a directory traversal".encode("utf-8")) +# Introducing an error in the encoded text, a byte +payload[3] = 128 +report_record_attack(payload) \ No newline at end of file