58 lines
1005 B
Plaintext
58 lines
1005 B
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
Flask
|
|
|
|
----
|
|
from flask import request, redirect
|
|
|
|
@app.route('move')
|
|
def move():
|
|
url = request.args["next"]
|
|
return redirect(url) # Noncompliant
|
|
----
|
|
|
|
|
|
Django
|
|
|
|
----
|
|
from django.http import HttpResponseRedirect
|
|
|
|
def move(request):
|
|
url = request.GET.get("next", "/")
|
|
return HttpResponseRedirect(url) # Noncompliant
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Flask
|
|
|
|
----
|
|
from flask import request, redirect, url_for
|
|
|
|
@app.route('move')
|
|
def move():
|
|
endpoint = request.args["next"]
|
|
return redirect(url_for(endpoint)) # Compliant
|
|
----
|
|
|
|
|
|
Django
|
|
|
|
----
|
|
from django.http import HttpResponseRedirect
|
|
from urllib.parse import urlparse
|
|
|
|
DOMAINS_WHITELIST = ['www.example.com', 'example.com']
|
|
|
|
def move(request):
|
|
url = request.GET.get("next", "/")
|
|
parsed_uri = urlparse(url)
|
|
if parsed_uri.netloc in DOMAINS_WHITELIST:
|
|
return HttpResponseRedirect(url) # Compliant
|
|
return HttpResponseRedirect("/")
|
|
----
|
|
|
|
include::../see.adoc[]
|