rspec/rules/S6839/python/rule.adoc

include::../description.adoc[]

include::../how-to-fix-it.adoc[]

=== Code examples

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
from http.server import BaseHTTPRequestHandler
from urllib.parse import urlparse, parse_qs

class ReqHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        parsed = urlparse(self.path)
        params = parse_qs(parsed.query)
        self.send_response(200)
        self.send_header("Content-Type", params.get('accept')[0]) # Noncompliant
        self.end_headers()
        self.wfile.write(bytes("Hello World!", "utf-8"))
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
from http.server import BaseHTTPRequestHandler
from urllib.parse import urlparse, parse_qs, quote

class ReqHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        parsed = urlparse(self.path)
        params = parse_qs(parsed.query)
        self.send_response(200)
        self.send_header("Content-Type", quote(params.get('accept')[0])) # Compliant
        self.end_headers()
        self.wfile.write(bytes("Hello World!", "utf-8"))
----

=== How does this work?

By applying a URL encoding to an untrusted header value, the application ensures that all special characters are properly escaped before they are added to the HTTP response. Especially `\r` (Carriage Return) and `\n` (Line Feed) characters will be encoded to `%0D` and `%OA` and won't be able to alter the HTTP response's semantics.

//=== Pitfalls

//=== Going the extra mile


//== Resources

include::../see.adoc[]

//=== Documentation
//=== Articles & blog posts
//=== Conference presentations
//=== Standards
//=== External coding guidelines
//=== Benchmarks


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Change this code to not set an HTTP response header based on a user-controlled
value.

=== Highlighting

Highlight the tainted argument in the sink parameters.

endif::env-github,rspecator-view[]
Create rule S6839 (#3421) 2023-11-22 10:45:39 +01:00			`include::../description.adoc[]`

			`include::../how-to-fix-it.adoc[]`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,python,diff-id=1,diff-type=noncompliant]`
			`----`
Modify rule S6839: Fix typos in Python code snippets in description 2023-12-06 13:21:40 +01:00			`from http.server import BaseHTTPRequestHandler`
Create rule S6839 (#3421) 2023-11-22 10:45:39 +01:00			`from urllib.parse import urlparse, parse_qs`

			`class ReqHandler(BaseHTTPRequestHandler):`
			`def do_GET(self):`
			`parsed = urlparse(self.path)`
			`params = parse_qs(parsed.query)`
			`self.send_response(200)`
			`self.send_header("Content-Type", params.get('accept')[0]) # Noncompliant`
			`self.end_headers()`
			`self.wfile.write(bytes("Hello World!", "utf-8"))`
			`----`

			`==== Compliant solution`

			`[source,python,diff-id=1,diff-type=compliant]`
			`----`
Modify rule S6839: Fix typos in Python code snippets in description 2023-12-06 13:21:40 +01:00			`from http.server import BaseHTTPRequestHandler`
Create rule S6839 (#3421) 2023-11-22 10:45:39 +01:00			`from urllib.parse import urlparse, parse_qs, quote`

			`class ReqHandler(BaseHTTPRequestHandler):`
			`def do_GET(self):`
			`parsed = urlparse(self.path)`
			`params = parse_qs(parsed.query)`
			`self.send_response(200)`
Modify rule S6839: Fix typos in Python code snippets in description 2023-12-06 13:21:40 +01:00			`self.send_header("Content-Type", quote(params.get('accept')[0])) # Compliant`
Create rule S6839 (#3421) 2023-11-22 10:45:39 +01:00			`self.end_headers()`
			`self.wfile.write(bytes("Hello World!", "utf-8"))`
			`----`

			`=== How does this work?`

			By applying a URL encoding to an untrusted header value, the application ensures that all special characters are properly escaped before they are added to the HTTP response. Especially `\r` (Carriage Return) and `\n` (Line Feed) characters will be encoded to `%0D` and `%OA` and won't be able to alter the HTTP response's semantics.

			`//=== Pitfalls`

			`//=== Going the extra mile`


			`//== Resources`

			`include::../see.adoc[]`

			`//=== Documentation`
			`//=== Articles & blog posts`
			`//=== Conference presentations`
			`//=== Standards`
			`//=== External coding guidelines`
			`//=== Benchmarks`


			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`Change this code to not set an HTTP response header based on a user-controlled`
			`value.`

			`=== Highlighting`

			`Highlight the tainted argument in the sink parameters.`

Modify rule S6839: Fix typos in Python code snippets in description 2023-12-06 13:21:40 +01:00			`endif::env-github,rspecator-view[]`