rspec/rules/S5300/python/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

* Use an email library which sanitizes headers (Flask-Mail or django.core.mail).
* Use html escape functions to sanitize every piece of data used to in the email body.
* Verify application logic to make sure that email base feature can not be abuse to:
** Send arbitrary email for spamming or fishing
** Disclose sensitive email content

== Sensitive Code Example

smtplib

----
import smtplib

def send(from_email, to_email, msg):    
  server = smtplib.SMTP('localhost', 1025)   
  server.sendmail(from_email, to_email, msg) # Sensitive
----
Django

----
from django.core.mail import send_mail

def send(subject, msg, from_email, to_email):    
  send_mail(subject, msg, from_email, [to_email]) # Sensitive
----
Flask-Mail

----
from flask import Flask
from flask_mail import Mail, Message

app = Flask(__name__)

def send(subject, msg, from_email, to_email):    
    mail = Mail(app)
    msg = Message(subject, [to_email], body, sender=from_email)
    mail.send(msg) # Sensitive{code}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`== Recommended Secure Coding Practices`

Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`* Use an email library which sanitizes headers (Flask-Mail or django.core.mail).`
			`* Use html escape functions to sanitize every piece of data used to in the email body.`
			`* Verify application logic to make sure that email base feature can not be abuse to:`
fix the nested lists and quotes 2021-01-06 17:38:34 +01:00			`** Send arbitrary email for spamming or fishing`
			`** Disclose sensitive email content`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`== Sensitive Code Example`

			`smtplib`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`import smtplib`

			`def send(from_email, to_email, msg):`
			`server = smtplib.SMTP('localhost', 1025)`
			`server.sendmail(from_email, to_email, msg) # Sensitive`
			`----`
			`Django`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`from django.core.mail import send_mail`

			`def send(subject, msg, from_email, to_email):`
			`send_mail(subject, msg, from_email, [to_email]) # Sensitive`
			`----`
			`Flask-Mail`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`from flask import Flask`
			`from flask_mail import Mail, Message`

			`app = Flask(__name__)`

			`def send(subject, msg, from_email, to_email):`
			`mail = Mail(app)`
			`msg = Message(subject, [to_email], body, sender=from_email)`
			`mail.send(msg) # Sensitive{code}`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`