rspec/rules/S5145/python/how-to-fix-it/python.adoc

== How to fix it in Python Standard Library

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,python,diff-id=11,diff-type=noncompliant]
----
import logging

logger = logging.getLogger(__name__)

@app.route('/example')
def log():
    data = request.args["data"]
    logger.log(logging.CRITICAL, "%s", data) # Noncompliant
----

==== Compliant solution

[source,python,diff-id=11,diff-type=compliant]
----
import logging
import base64

logger = logging.getLogger(__name__)

@app.route('/example')
def log():
    data = request.args["data"]
    if data.isalnum():
        logger.log(logging.CRITICAL, "%s", data)
    else:
        logger.log(logging.CRITICAL, "Invalid Input: %s", base64.b64encode(data.encode('UTF-8')))
----

include::../../common/fix/how-does-this-work.adoc[]

Here, the example compliant code uses the `isalnum` function to ensure the untrusted data is safe. If not, it performs Base64 encoding to protect from log injection.
Add checks for education format (#1607) 2023-03-07 17:16:47 +01:00			`== How to fix it in Python Standard Library`

			`=== Code examples`
Modify rule S5145(Python): Update text to the Education Framework structure (APPSEC-226) (#1366) 2022-11-07 09:05:01 +01:00
			`include::../../common/fix/code-rationale.adoc[]`

			`==== Noncompliant code example`

Diff blocks: fix incorrect use for python (#2795) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. An obvious extra use of diff blocks was removed. 2023-08-21 15:22:49 +02:00			`[source,python,diff-id=11,diff-type=noncompliant]`
Modify rule S5145(Python): Update text to the Education Framework structure (APPSEC-226) (#1366) 2022-11-07 09:05:01 +01:00			`----`
			`import logging`

			`logger = logging.getLogger(__name__)`

			`@app.route('/example')`
			`def log():`
			`data = request.args["data"]`
			`logger.log(logging.CRITICAL, "%s", data) # Noncompliant`
			`----`

			`==== Compliant solution`

Diff blocks: fix incorrect use for python (#2795) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. An obvious extra use of diff blocks was removed. 2023-08-21 15:22:49 +02:00			`[source,python,diff-id=11,diff-type=compliant]`
Modify rule S5145(Python): Update text to the Education Framework structure (APPSEC-226) (#1366) 2022-11-07 09:05:01 +01:00			`----`
			`import logging`
			`import base64`

			`logger = logging.getLogger(__name__)`

			`@app.route('/example')`
			`def log():`
			`data = request.args["data"]`
			`if data.isalnum():`
			`logger.log(logging.CRITICAL, "%s", data)`
			`else:`
			`logger.log(logging.CRITICAL, "Invalid Input: %s", base64.b64encode(data.encode('UTF-8')))`
			`----`

			`include::../../common/fix/how-does-this-work.adoc[]`

			Here, the example compliant code uses the `isalnum` function to ensure the untrusted data is safe. If not, it performs Base64 encoding to protect from log injection.