16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
45 lines
959 B
Plaintext
45 lines
959 B
Plaintext
== How to fix it in Python Standard Library
|
|
|
|
=== Code examples
|
|
|
|
The following code is vulnerable to arbitrary code execution because it runs
|
|
dynamic Python code based on untrusted data.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
from flask import request
|
|
|
|
@app.route("/")
|
|
def example():
|
|
operation = request.args.get("operation")
|
|
eval(f"product_{operation}()") # Noncompliant
|
|
return "OK"
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=1,diff-type=compliant]
|
|
----
|
|
from flask import request
|
|
|
|
@app.route("/")
|
|
def example():
|
|
allowed = ["add", "remove", "update"]
|
|
operation = allowed[request.args.get("operationId")]
|
|
eval(f"product_{operation}()")
|
|
|
|
return "OK"
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/introduction.adoc[]
|
|
|
|
include::../../common/fix/parameters.adoc[]
|
|
|
|
include::../../common/fix/allowlist.adoc[]
|
|
|
|
The example compliant code uses such a binding approach.
|