Skip to content

Instantly share code, notes, and snippets.

@emidln
Last active November 10, 2017 23:31
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save emidln/a43b9fee4fc55273106c4b850f6b40f4 to your computer and use it in GitHub Desktop.
Example web service with a SQLi that decrypts data that is stored encrypted in the database.
from flask import request, Flask
import json
from fake_stuff import current_user, db, aes_decrypt
secrets = {'fooCorp': 'someKey', 'barCorp': 'otherKey'}
app = Flask(__name__)
@app.route("/", methods=["GET"])
def index():
# pretend this request was authenticated such that we can lookup the user's company
secret = secrets[current_user.company]
# yay we've built a SQLi
encrypted_results = db.fetch('select qux from foo where bar = %s" % request.args['bar'])
# decrypt our quxes
data = [aes_decrypt(key=secret, value=x) for x in encrypted_results]
return 200, json.dumps(data)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment