84 lines
1.7 KiB
Plaintext
84 lines
1.7 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
Flask
|
|
|
|
[source,python]
|
|
----
|
|
from flask import request, redirect, Response
|
|
|
|
@app.route('flask_redirect')
|
|
def flask_redirect():
|
|
url = request.args["next"]
|
|
return redirect(url) # Noncompliant
|
|
|
|
@app.route('set_location_header')
|
|
def set_location_header():
|
|
url = request.args["next"]
|
|
response = Response("redirecting...", 302)
|
|
response.headers['Location'] = url # Noncompliant
|
|
return response
|
|
----
|
|
|
|
Django
|
|
|
|
[source,python]
|
|
----
|
|
from django.http import HttpResponseRedirect
|
|
|
|
def http_responser_redirect(request):
|
|
url = request.GET.get("next", "/")
|
|
return HttpResponseRedirect(url) # Noncompliant
|
|
|
|
def set_location_header(request):
|
|
url = request.GET.get("next", "/")
|
|
response = HttpResponse(status=302)
|
|
response['Location'] = url # Noncompliant
|
|
return response
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Flask
|
|
|
|
[source,python]
|
|
----
|
|
from flask import request, redirect, Response, url_for
|
|
|
|
@app.route('flask_redirect')
|
|
def flask_redirect():
|
|
endpoint = request.args["next"]
|
|
return redirect(url_for(endpoint))
|
|
----
|
|
|
|
Django
|
|
|
|
[source,python]
|
|
----
|
|
from django.http import HttpResponseRedirect
|
|
from urllib.parse import urlparse
|
|
|
|
DOMAINS_WHITELIST = ['www.example.com', 'example.com']
|
|
|
|
def http_responser_redirect(request):
|
|
url = request.GET.get("next", "/")
|
|
parsed_uri = urlparse(url)
|
|
if parsed_uri.netloc in DOMAINS_WHITELIST:
|
|
return HttpResponseRedirect(url)
|
|
return HttpResponseRedirect("/")
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|