Uploaded image for project: 'SonarPython'
  1. SonarPython
  2. SONARPY-831

Rule S3752: Allowing both safe and unsafe HTTP methods is security-sensitive

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3
    • Component/s: Rules
    • Labels:

      Description

      This rule raises an issue if safe and unsafe HTTP methods can be used for the same view.

      Definition

      Common safe HTTP methods are: GET, HEAD, and OPTIONS.
      Common unsafe HTTP methods are: POST, PUT, and DELETE.

      Django

      The rule should raise for Django view methods if none of the following decorators is present:

      • require_http_methods()
      • require_POST
      • require_GET
      • require_safe

      Alternatively, the rule should raise if require_http_methods() contains both a safe and unsafe method at the same time.

      Code samples: https://github.com/SonarSource/security-expected-issues/tree/master/python/vulnerable-apps/django-vulnerable/djangovulnerable/methods

      Flask

      The rule should raise for Flask view methods if the methods attribute of the route decorator contains both a safe and unsafe method at the same time.

      Code samples: https://github.com/SonarSource/security-expected-issues/blob/master/python/vulnerable-apps/flask-vulnerable/methods.py

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              andrea.guarino Andrea Guarino
              Reporter:
              hendrik.buchwald Hendrik Buchwald
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: