This repository collects lists of security-relavent Python APIs, along with examples of exploits using those APIs. Currently it only contains remote code/command execution libraries.

To work with the code in this repo, you must be in a virtual environment:

$ cd /path/to/python_security
$ python3.8 -m venv venv
$ source venv/bin/activate
(venv) $ pip3.8 install -r requirements.txt

You can launch the server to interactively play with the examples:

(venv) $ FLASK_APP=webapp.app.py FLASK_ENV=development flask run -h localhost -p 2121

This will let you generate payloads for arbitrary code, and run those payloads on your own machine.

All the vulnerable functions covered by this repository are available in machine-readable format in sinks.json. sinks.json can be regenerated by running scripts/generate_sink_list.py.

When adding a new exploit, you can validate it by running the tests:

(venv) $ python3 -m unittest

PRs are welcome. If you're looking for ideas, look at the "Future Work" section in code_execution/README.md. Before submitting an exploit, make sure to run the tests and include evidence of testing in the PR.