[SONARPY-831] Rule S3752: Allowing both safe and unsafe HTTP methods is security-sensitive - SonarSource

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.3
Component/s: Rules
Labels:
- peach-verified

Description

This rule raises an issue if safe and unsafe HTTP methods can be used for the same view.

Definition

Common safe HTTP methods are: GET, HEAD, and OPTIONS.
Common unsafe HTTP methods are: POST, PUT, and DELETE.

Django

The rule should raise for Django view methods if none of the following decorators is present:

require_http_methods()
require_POST
require_GET
require_safe

Alternatively, the rule should raise if require_http_methods() contains both a safe and unsafe method at the same time.

Code samples: https://github.com/SonarSource/security-expected-issues/tree/master/python/vulnerable-apps/django-vulnerable/djangovulnerable/methods

Flask

The rule should raise for Flask view methods if the methods attribute of the route decorator contains both a safe and unsafe method at the same time.

Code samples: https://github.com/SonarSource/security-expected-issues/blob/master/python/vulnerable-apps/flask-vulnerable/methods.py

Attachments

Issue Links

implements

RSPEC-3752 Allowing both safe and unsafe HTTP methods is security-sensitive

Active

Activity

People

Assignee:: Andrea Guarino

Reporter:: Hendrik Buchwald

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 03/Mar/21

Created:: 28/Jan/21 11:46 AM

Updated:: 01/Mar/21 10:56 AM

Resolved:: 26/Feb/21 4:25 PM