Modify rule S4507: Add support for Flask-GraphQL (#3428)

* Added how to fix it section for flask-graphql * Restructured code examples * Adjusted format * Change to allowed_framework_names not needed anymore * Update rule.adoc * Applied suggestion.
2025-02-03 12:08:40 +01:00 · 2025-02-03 12:08:40 +01:00 · 071e229c14
commit 071e229c14
parent fc7ed69d88
1 changed files with 36 additions and 0 deletions
--- a/rules/S4507/python/rule.adoc
+++ b/rules/S4507/python/rule.adoc
@ -28,6 +28,7 @@ DEBUG = True  # Sensitive
 DEBUG_PROPAGATE_EXCEPTIONS = True  # Sensitive
 ----

+
 Flask application startup:

 [source,python,diff-id=3,diff-type=noncompliant]
@ -39,6 +40,25 @@ app.debug = True  # Sensitive
 app.run(debug=True)  # Sensitive
 ----

+The following code defines a GraphQL endpoint with GraphiQL enabled. While this might be a useful configuration during development, it should never be enabled for applications deployed in production:
+
+[source,python,diff-id=4,diff-type=noncompliant]
+----
+from flask import Flask
+from graphql_server.flask import GraphQLView
+
+app = Flask(__name__)
+
+app.add_url_rule(
+    '/graphql',
+    view_func=GraphQLView.as_view(
+        'graphql',
+        schema=schema,
+        graphiql=True # Sensitive
+    )
+)
+----
+
 == Compliant Solution

 [source,python,diff-id=1,diff-type=compliant]
@ -67,6 +87,22 @@ app.debug = False
 app.run(debug=False)
 ----

+[source,python,diff-id=4,diff-type=compliant]
+----
+from flask import Flask
+from graphql_server.flask import GraphQLView
+
+app = Flask(__name__)
+
+app.add_url_rule(
+    '/graphql',
+    view_func=GraphQLView.as_view(
+        'graphql',
+        schema=schema
+    )
+)
+----
+
 include::../see.adoc[]

 ifdef::env-github,rspecator-view[]