Sha256: 373669385b27da7aad13ae7abba5b648241ca2b506180766fda66d965a16e763
Contents?: true
Size: 621 Bytes
Versions: 21
Compression:
Stored size: 621 Bytes
Contents
require 'sinatra'
# stupid to way to pretend vulnerability for :os_cmd_injection_timing
def eval( str )
return if !str.to_s.strip.start_with?( 'ping' )
if delay = str.to_s.gsub( /\D/, ' ' ).split( ' ' ).uniq.last
sleep delay.to_i
end
end
get '/' do
<<-HTML
<form action='/trusted'>
<input name="trusted_input"/>
</form>
<form action='/untrusted'>
<input name="untrusted_input"/>
</form>
HTML
end
get '/trusted' do
eval( params['trusted_input'] )
end
get '/untrusted' do
sleep( 4 )
eval( params['untrusted_input'] )
end
Version data entries
21 entries across 21 versions & 1 rubygems