rspec/rules/S6560/python/rule.adoc

== Why is this an issue?

By default, only dictionary objects can be serialized in Django JSON-encoded response. Before ECMASCript 5, serializing non-dictionary objects could lead to security vulnerabilities. Since most modern browsers implement ECMAScript 5, this vector of attack is no longer a threat and it is possible to serialize non-dictionary objects by setting the `safe` flag to `False`. However, if this flag is not set, a `TypeError` will be thrown by the serializer. 

Despite this possibility, it is still recommended to serialize dictionary objects, as an API based on `dict` is generally more extensible and easier to maintain.

== How to fix it

To fix this issue, developers should ensure that the safe flag is set to "False" when attempting to serialize non-dictionary objects in Django.

=== Code examples

==== Noncompliant code example

[source,python]
----
from django.http import JsonResponse
response = JsonResponse([1, 2, 3])
----

==== Compliant solution

[source,python]
----
from django.http import JsonResponse
response = JsonResponse([1, 2, 3], safe=False)
----

== Resources
=== Documentation
https://docs.djangoproject.com/en/4.1/ref/request-response/#serializing-non-dictionary-objects[Serializing non-dictionary objects]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use a dictionary object here, or set the "safe" flag to False.


'''
endif::env-github,rspecator-view[]
Create rule S6560: The "safe" flag should be set to "False" when serializing non-dictionary objects in Django JSON-encoded responses. (#1710) 2023-05-05 13:55:31 +02:00			`== Why is this an issue?`

			By default, only dictionary objects can be serialized in Django JSON-encoded response. Before ECMASCript 5, serializing non-dictionary objects could lead to security vulnerabilities. Since most modern browsers implement ECMAScript 5, this vector of attack is no longer a threat and it is possible to serialize non-dictionary objects by setting the `safe` flag to `False`. However, if this flag is not set, a `TypeError` will be thrown by the serializer.

			Despite this possibility, it is still recommended to serialize dictionary objects, as an API based on `dict` is generally more extensible and easier to maintain.

			`== How to fix it`

			`To fix this issue, developers should ensure that the safe flag is set to "False" when attempting to serialize non-dictionary objects in Django.`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,python]`
			`----`
			`from django.http import JsonResponse`
			`response = JsonResponse([1, 2, 3])`
			`----`

			`==== Compliant solution`

			`[source,python]`
			`----`
			`from django.http import JsonResponse`
			`response = JsonResponse([1, 2, 3], safe=False)`
			`----`

			`== Resources`
			`=== Documentation`
			`https://docs.djangoproject.com/en/4.1/ref/request-response/#serializing-non-dictionary-objects[Serializing non-dictionary objects]`


			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Use a dictionary object here, or set the "safe" flag to False.`

Create rule S6560: The "safe" flag should be set to "False" when serializing non-dictionary objects in Django JSON-encoded responses. (#1710) 2023-05-05 13:55:31 +02:00
			`'''`
			`endif::env-github,rspecator-view[]`