rspec/rules/S3752/python/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://www.djangoproject.com/[Django]:

----
# No method restriction
def view(request):  # Sensitive
    return HttpResponse("...")
----

----
@require_http_methods(["GET", "POST"])  # Sensitive
def view(request):
    return HttpResponse("...")
----

For https://flask.palletsprojects.com/en/1.1.x/[Flask]:

----
@methods.route('/sensitive', methods=['GET', 'POST'])  # Sensitive
def view():
    return Response("...", 200)
----

== Compliant Solution

For https://www.djangoproject.com/[Django]:

[source,python]
----
@require_http_methods(["POST"])
def view(request):
    return HttpResponse("...")
----

[source,python]
----
@require_POST
def view(request):
    return HttpResponse("...")
----

[source,python]
----
@require_GET
def view(request):
    return HttpResponse("...")
----

[source,python]
----
@require_safe
def view(request):
    return HttpResponse("...")
----

For https://flask.palletsprojects.com/en/1.1.x/[Flask]:

[source,python]
----
@methods.route('/compliant1')
def view():
    return Response("...", 200)
----

[source,python]
----
@methods.route('/compliant2', methods=['GET'])
def view():
    return Response("...", 200)
----

== See

* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design
* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
* https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF)
* https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery]
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components
* https://docs.djangoproject.com/en/3.1/topics/http/decorators/#allowed-http-methods[Django] - Allowed HTTP Methods
* https://flask.palletsprojects.com/en/1.1.x/quickstart/#http-methods[Flask] - HTTP Methods

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]