rspec/rules/S5144/python/how-to-fix-it/requests.adoc

== How to fix it in Requests

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,python,diff-id=11,diff-type=noncompliant]
----
from flask import request
import requests

@app.route('/example')
def example():
    url = request.args["url"]
    requests.get(url).content # Noncompliant
----

==== Compliant solution

[source,python,diff-id=11,diff-type=compliant]
----
from flask import request
import requests
from urllib.parse import urlparse

DOMAINS_ALLOWLIST = ['trusted1.example.com', 'trusted2.example.com']

@app.route('/example')
def example():
    url = request.args["url"]
    if urlparse(url).hostname in DOMAINS_ALLOWLIST:
        requests.get(url).content
----

=== How does this work?

include::../../common/fix/pre-approved-list.adoc[]

The compliant code example uses such an approach.
The `requests` library implicitly validates the scheme as it only allows `http` and `https` by default.

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]