- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: python-flask/ssrf-requests
Language: Python
Severity: Error
Category: Security
CWE: 89
Use of unsanitized data from incoming request for handling SQL request may lead to SQL injection. Incoming request data must always be sanitized before used.
import flask
import requests
app = flask.Flask(__name__)
@app.route("/route/to/resource/<resource_id>")
def resource(resource_id):
foo = requests.get(f"https://api.service.ext/get/by/id/{resource_id}")
return None
@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
bar = requests.get("https://api.service.ext/get/by/id/" + resource_id})
return None
@app.route("/route/to/resource/<resource_id>")
def resource3(resource_id):
baz = requests.get("https://api.service.ext/get/by/id/{0}".format(resource_id}))
return None
@app.get("/route/to/another/resource/<resource_id>")
def resource4(resource_id):
foo = requests.get(f"https://api.service.ext/get/by/id/{resource_id}")
return None
@app.get("/route/to/another/resource/<resource_id>")
def resource5(resource_id):
bar = requests.get("https://api.service.ext/get/by/id/" + resource_id})
return None
@app.get("/route/to/another/resource/<resource_id>")
def resource6(resource_id):
baz = requests.get("https://api.service.ext/get/by/id/{0}".format(resource_id}))
return None
@app.route("/route/to/resource/the/return/<resource_id>", methods=["GET"])
def get_param():
rid = flask.request.args.get("resource_id")
# unsanitized data
requests.post(f"https://api.service.ext/get/by/id/{rid}", timeout=10)
requests.patch(rid, timeout=10)
requests.get("https://api.service.ext/get/by/id/{0}".format(rid))
requests.get("https://api.service.ext/get/by/id/" + rid)
requests.patch(rid, timeout=10)
return None
@app.route("/this/is/fine/<sure>")
def fine(sure):
print("foobar")
return requests.get("https://api.service.ext/nothing")
import flask
import requests
app = flask.Flask(__name__)
@app.route("/route/to/resource/<resource_id>")
def resource(resource_id):
sanitized_resource_id = sanitize(resource_id)
foo = requests.get(f"https://api.service.ext/get/by/id/{sanitized_resource_id}")
return foo