rspec/rules/S5144/python/how-to-fix-it/httpx.adoc

== How to fix it in HTTPX

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,python,diff-id=21,diff-type=noncompliant]
----
from fastapi import FastAPI
import httpx

app = FastAPI()

@app.get('/example')
def example(url: str):
    r = httpx.get(url)  # Noncompliant
    return {"response": r.text}
----

==== Compliant solution

[source,python,diff-id=21,diff-type=compliant]
----
from fastapi import FastAPI
from fastapi.responses import JSONResponse
import httpx
from urllib.parse import urlparse

DOMAINS_ALLOWLIST = ['trusted1.example.com', 'trusted2.example.com']
app = FastAPI()

@app.get('/example')
def example(url: str):
    if not urlparse(url).hostname in DOMAINS_ALLOWLIST:
        return JSONResponse({"error": f"URL {url} is not whitelisted."}, 400)

    r = httpx.get(url)
    return {"response": r.text}
----

=== How does this work?

include::../../common/fix/pre-approved-list.adoc[]

The compliant code example uses such an approach.
HTTPX implicitly validates the scheme as it only allows `http` and `https` by default.

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]
Modify rule S5144: Add HTTPX support (APPSEC-1247) (#3410) * Add HTTPX * Enhance compliant code sample * Keep samples consistent * Simplify compliant example somewhat 2023-12-03 12:32:40 +01:00			`== How to fix it in HTTPX`

			`=== Code examples`

			`include::../../common/fix/code-rationale.adoc[]`

			`==== Noncompliant code example`

			`[source,python,diff-id=21,diff-type=noncompliant]`
			`----`
			`from fastapi import FastAPI`
			`import httpx`

			`app = FastAPI()`

			`@app.get('/example')`
			`def example(url: str):`
			`r = httpx.get(url) # Noncompliant`
			`return {"response": r.text}`
			`----`

			`==== Compliant solution`

			`[source,python,diff-id=21,diff-type=compliant]`
			`----`
			`from fastapi import FastAPI`
			`from fastapi.responses import JSONResponse`
			`import httpx`
			`from urllib.parse import urlparse`

			`DOMAINS_ALLOWLIST = ['trusted1.example.com', 'trusted2.example.com']`
			`app = FastAPI()`

			`@app.get('/example')`
			`def example(url: str):`
			`if not urlparse(url).hostname in DOMAINS_ALLOWLIST:`
			`return JSONResponse({"error": f"URL {url} is not whitelisted."}, 400)`

			`r = httpx.get(url)`
			`return {"response": r.text}`
			`----`

			`=== How does this work?`

			`include::../../common/fix/pre-approved-list.adoc[]`

			`The compliant code example uses such an approach.`
			HTTPX implicitly validates the scheme as it only allows `http` and `https` by default.

			`=== Pitfalls`

			`include::../../common/pitfalls/starts-with.adoc[]`