Spaces:
Running
Running
Fix endpoint registration order
Browse files
app.py
CHANGED
|
@@ -23,7 +23,7 @@ def log_request():
|
|
| 23 |
|
| 24 |
@app.route('/logs')
|
| 25 |
def show_logs():
|
| 26 |
-
return jsonify(LOG[-
|
| 27 |
|
| 28 |
@app.route('/clear-logs')
|
| 29 |
def clear_logs():
|
|
@@ -46,18 +46,13 @@ def fetch():
|
|
| 46 |
|
| 47 |
@app.route('/redir')
|
| 48 |
def redir():
|
| 49 |
-
"""Redirect to any URL - useful for SSRF redirect bypass testing"""
|
| 50 |
target = request.args.get('url', '/')
|
| 51 |
code = int(request.args.get('code', '302'))
|
| 52 |
return redirect(target, code=code)
|
| 53 |
|
| 54 |
@app.route('/mcp-proxy', methods=['GET', 'POST'])
|
| 55 |
def mcp_proxy():
|
| 56 |
-
"""Act as an MCP server that proxies to internal endpoints.
|
| 57 |
-
When MCP health check hits this, we respond with MCP-like data
|
| 58 |
-
but also make internal requests."""
|
| 59 |
target = request.args.get('target', '')
|
| 60 |
-
# Log the incoming MCP request
|
| 61 |
entry = {
|
| 62 |
'time': time.time(),
|
| 63 |
'method': request.method,
|
|
@@ -67,11 +62,9 @@ def mcp_proxy():
|
|
| 67 |
'remote_addr': request.remote_addr
|
| 68 |
}
|
| 69 |
LOG.append(entry)
|
| 70 |
-
|
| 71 |
if target:
|
| 72 |
try:
|
| 73 |
r = requests.get(target, timeout=5, verify=False)
|
| 74 |
-
# Return as SSE to satisfy MCP client
|
| 75 |
return Response(
|
| 76 |
f"data: {json.dumps({'result': r.text[:5000], 'status': r.status_code})}\n\n",
|
| 77 |
content_type='text/event-stream'
|
|
@@ -81,8 +74,6 @@ def mcp_proxy():
|
|
| 81 |
f"data: {json.dumps({'error': str(e)})}\n\n",
|
| 82 |
content_type='text/event-stream'
|
| 83 |
)
|
| 84 |
-
|
| 85 |
-
# Default MCP initialize response
|
| 86 |
if request.method == 'POST':
|
| 87 |
body = request.get_json(silent=True) or {}
|
| 88 |
if body.get('method') == 'initialize':
|
|
@@ -138,7 +129,6 @@ def do_curl():
|
|
| 138 |
|
| 139 |
@app.route('/readfile')
|
| 140 |
def readfile():
|
| 141 |
-
"""Read a local file"""
|
| 142 |
path = request.args.get('path', '')
|
| 143 |
try:
|
| 144 |
with open(path, 'r') as f:
|
|
@@ -148,7 +138,6 @@ def readfile():
|
|
| 148 |
|
| 149 |
@app.route('/listdir')
|
| 150 |
def listdir():
|
| 151 |
-
"""List directory contents"""
|
| 152 |
path = request.args.get('path', '/')
|
| 153 |
try:
|
| 154 |
entries = os.listdir(path)
|
|
@@ -158,7 +147,6 @@ def listdir():
|
|
| 158 |
|
| 159 |
@app.route('/post')
|
| 160 |
def do_post():
|
| 161 |
-
"""Make POST request with custom body"""
|
| 162 |
url = request.args.get('url', '')
|
| 163 |
body = request.args.get('body', '')
|
| 164 |
ct = request.args.get('ct', 'application/json')
|
|
@@ -173,12 +161,8 @@ def do_post():
|
|
| 173 |
except Exception as e:
|
| 174 |
return str(e), 500
|
| 175 |
|
| 176 |
-
if __name__ == '__main__':
|
| 177 |
-
app.run(host='0.0.0.0', port=7860)
|
| 178 |
-
|
| 179 |
@app.route('/data.csv')
|
| 180 |
def serve_csv():
|
| 181 |
-
"""Serve fake CSV data - used for SSRF testing"""
|
| 182 |
entry = {
|
| 183 |
'time': time.time(),
|
| 184 |
'method': request.method,
|
|
@@ -192,7 +176,6 @@ def serve_csv():
|
|
| 192 |
|
| 193 |
@app.route('/data.jsonl')
|
| 194 |
def serve_jsonl():
|
| 195 |
-
"""Serve fake JSONL data"""
|
| 196 |
entry = {
|
| 197 |
'time': time.time(),
|
| 198 |
'method': request.method,
|
|
@@ -203,3 +186,6 @@ def serve_jsonl():
|
|
| 203 |
}
|
| 204 |
LOG.append(entry)
|
| 205 |
return '{"text": "hello world"}\n{"text": "ssrf confirmed"}\n', 200, {'Content-Type': 'application/jsonl'}
|
|
|
|
|
|
|
|
|
|
|
|
| 23 |
|
| 24 |
@app.route('/logs')
|
| 25 |
def show_logs():
|
| 26 |
+
return jsonify(LOG[-50:])
|
| 27 |
|
| 28 |
@app.route('/clear-logs')
|
| 29 |
def clear_logs():
|
|
|
|
| 46 |
|
| 47 |
@app.route('/redir')
|
| 48 |
def redir():
|
|
|
|
| 49 |
target = request.args.get('url', '/')
|
| 50 |
code = int(request.args.get('code', '302'))
|
| 51 |
return redirect(target, code=code)
|
| 52 |
|
| 53 |
@app.route('/mcp-proxy', methods=['GET', 'POST'])
|
| 54 |
def mcp_proxy():
|
|
|
|
|
|
|
|
|
|
| 55 |
target = request.args.get('target', '')
|
|
|
|
| 56 |
entry = {
|
| 57 |
'time': time.time(),
|
| 58 |
'method': request.method,
|
|
|
|
| 62 |
'remote_addr': request.remote_addr
|
| 63 |
}
|
| 64 |
LOG.append(entry)
|
|
|
|
| 65 |
if target:
|
| 66 |
try:
|
| 67 |
r = requests.get(target, timeout=5, verify=False)
|
|
|
|
| 68 |
return Response(
|
| 69 |
f"data: {json.dumps({'result': r.text[:5000], 'status': r.status_code})}\n\n",
|
| 70 |
content_type='text/event-stream'
|
|
|
|
| 74 |
f"data: {json.dumps({'error': str(e)})}\n\n",
|
| 75 |
content_type='text/event-stream'
|
| 76 |
)
|
|
|
|
|
|
|
| 77 |
if request.method == 'POST':
|
| 78 |
body = request.get_json(silent=True) or {}
|
| 79 |
if body.get('method') == 'initialize':
|
|
|
|
| 129 |
|
| 130 |
@app.route('/readfile')
|
| 131 |
def readfile():
|
|
|
|
| 132 |
path = request.args.get('path', '')
|
| 133 |
try:
|
| 134 |
with open(path, 'r') as f:
|
|
|
|
| 138 |
|
| 139 |
@app.route('/listdir')
|
| 140 |
def listdir():
|
|
|
|
| 141 |
path = request.args.get('path', '/')
|
| 142 |
try:
|
| 143 |
entries = os.listdir(path)
|
|
|
|
| 147 |
|
| 148 |
@app.route('/post')
|
| 149 |
def do_post():
|
|
|
|
| 150 |
url = request.args.get('url', '')
|
| 151 |
body = request.args.get('body', '')
|
| 152 |
ct = request.args.get('ct', 'application/json')
|
|
|
|
| 161 |
except Exception as e:
|
| 162 |
return str(e), 500
|
| 163 |
|
|
|
|
|
|
|
|
|
|
| 164 |
@app.route('/data.csv')
|
| 165 |
def serve_csv():
|
|
|
|
| 166 |
entry = {
|
| 167 |
'time': time.time(),
|
| 168 |
'method': request.method,
|
|
|
|
| 176 |
|
| 177 |
@app.route('/data.jsonl')
|
| 178 |
def serve_jsonl():
|
|
|
|
| 179 |
entry = {
|
| 180 |
'time': time.time(),
|
| 181 |
'method': request.method,
|
|
|
|
| 186 |
}
|
| 187 |
LOG.append(entry)
|
| 188 |
return '{"text": "hello world"}\n{"text": "ssrf confirmed"}\n', 200, {'Content-Type': 'application/jsonl'}
|
| 189 |
+
|
| 190 |
+
if __name__ == '__main__':
|
| 191 |
+
app.run(host='0.0.0.0', port=7860)
|