ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5135/python/how-to-fix-it/python.adoc
Loris S bfb697d3a1
Modify S5135(Python): Fix code samples (#3829) 
* Modify S5135(Python): Fix code samples

* Update rules/S5135/python/how-to-fix-it/python.adoc
2024-03-27 15:57:47 +01:00

49 lines
988 B
Plaintext
Raw Blame History

== How to fix it in Python Standard Library
=== Code examples
The following code is vulnerable to deserialization attacks because it
deserializes HTTP data without validating it first.
==== Noncompliant code example
[source,python,diff-id=1,diff-type=noncompliant]
----
from flask import Flask, request
from base64 import b64decode
import pickle
app = Flask(__name__)
@app.route("/example")
def example():
objstr = b64decode(request.args.get("object"))
obj = pickle.loads(objstr)
return str(obj.status == "OK")
----
==== Compliant solution
[source,python,diff-id=1,diff-type=compliant]
----
from flask import Flask, request
import json
app = Flask(__name__)
@app.route("/example")
def example():
obj = json.loads(request.args.get("object"))
return str(obj["status"] == "OK")
----
=== How does this work?
include::../../common/fix/introduction.adoc[]
include::../../common/fix/safer-serialization.adoc[]
include::../../common/fix/integrity-check.adoc[]
Reference in New Issue View Git Blame Copy Permalink