Use of unsanitized data to make API calls

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: python-flask/ssrf-requests

Language: Python

Severity: Error

Category: Security

CWE: 918

Description

Use of unsanitized data from incoming request for handling SQL request may lead to SQL injection. Incoming request data must always be sanitized before used.

Learn More

Non-Compliant Code Examples

import flask
import requests

app = flask.Flask(__name__)

@app.route("/route/to/resource/<resource_id>")
def resource(resource_id):
    foo = requests.get(f"https://api.service.ext/get/by/id/{resource_id}")
    return None


@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
    bar = requests.get("https://api.service.ext/get/by/id/" + resource_id})
    return None

@app.route("/route/to/resource/<resource_id>")
def resource3(resource_id):
    baz = requests.get("https://api.service.ext/get/by/id/{0}".format(resource_id}))
    return None


@app.get("/route/to/another/resource/<resource_id>")
def resource4(resource_id):
    foo = requests.get(f"https://api.service.ext/get/by/id/{resource_id}")
    return None

@app.get("/route/to/another/resource/<resource_id>")
def resource5(resource_id):
    bar = requests.get("https://api.service.ext/get/by/id/" + resource_id})
    return None

@app.get("/route/to/another/resource/<resource_id>")
def resource6(resource_id):
    baz = requests.get("https://api.service.ext/get/by/id/{0}".format(resource_id}))
    return None

@app.route("/route/to/resource/the/return/<resource_id>", methods=["GET"])
def get_param():
    rid = flask.request.args.get("resource_id")
    # unsanitized data
    requests.post(f"https://api.service.ext/get/by/id/{rid}", timeout=10)
    requests.patch(rid, timeout=10)
    requests.get("https://api.service.ext/get/by/id/{0}".format(rid))
    requests.get("https://api.service.ext/get/by/id/" + rid)
    requests.patch(rid, timeout=10)
    return None

@app.route("/this/is/fine/<sure>")
def fine(sure):
    print("foobar")
    return requests.get("https://api.service.ext/nothing")

Compliant Code Examples

import flask
import requests

app = flask.Flask(__name__)

@app.route("/route/to/resource/<resource_id>")
def resource(resource_id):
    sanitized_resource_id = sanitize(resource_id)
    foo = requests.get(f"https://api.service.ext/get/by/id/{sanitized_resource_id}")
    return foo
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: rtrieu/product-analytics-ui-changes