2023-03-07 17:16:47 +01:00
|
|
|
== How to fix it in Requests
|
|
|
|
|
|
|
|
|
|
=== Code examples
|
2022-11-23 17:38:23 +01:00
|
|
|
|
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
|
|
|
|
|
|
==== Noncompliant code example
|
|
|
|
|
|
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
|
|
|
|
----
|
|
|
|
|
from flask import request
|
|
|
|
|
import requests
|
|
|
|
|
|
|
|
|
|
@app.route('/example')
|
|
|
|
|
def example():
|
|
|
|
|
url = request.args["url"]
|
|
|
|
|
requests.get(url).content # Noncompliant
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
|
|
|
|
|
|
[source,python,diff-id=1,diff-type=compliant]
|
|
|
|
|
----
|
|
|
|
|
from flask import request
|
|
|
|
|
import requests
|
|
|
|
|
from urllib.parse import urlparse
|
|
|
|
|
|
|
|
|
|
DOMAINS_ALLOWLIST = ['trusted1.example.com', 'trusted2.example.com']
|
|
|
|
|
|
|
|
|
|
@app.route('/example')
|
|
|
|
|
def example():
|
|
|
|
|
url = request.args["url"]
|
|
|
|
|
if urlparse(url).hostname in DOMAINS_ALLOWLIST:
|
|
|
|
|
requests.get(url).content
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../../common/fix/how-does-this-work.adoc[]
|
|
|
|
|
|
|
|
|
|
The compliant code example uses such an approach.
|
|
|
|
|
The `requests` library implicitly validates the scheme as it only allows `http` and `https` by default.
|
|
|
|
|
|
|
|
|
|
=== Pitfalls
|
|
|
|
|
|
|
|
|
|
include::../../common/pitfalls/starts-with.adoc[]
|
