44 lines
958 B
Plaintext
44 lines
958 B
Plaintext
== How to fix it in Python Standard Library
|
|
|
|
=== Code examples
|
|
|
|
The following code is vulnerable to arbitrary code execution because it runs
|
|
dynamic Python code based on untrusted data.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
from flask import request
|
|
|
|
@app.route("/")
|
|
def example():
|
|
operation = request.args.get("operation")
|
|
eval(f"product_{operation}()") # Noncompliant
|
|
return "OK"
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=1,diff-type=compliant]
|
|
----
|
|
from flask import request
|
|
|
|
@app.route("/")
|
|
def example():
|
|
allowed = ["add", "remove", "update"]
|
|
operation = allowed[request.args.get("operationId")]
|
|
eval(f"product_{operation}()")
|
|
|
|
return "OK"
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/introduction.adoc[]
|
|
|
|
include::../../common/fix/parameters.adoc[]
|
|
|
|
include::../../common/fix/allowlist.adoc[]
|
|
|
|
The example compliant code uses such a binding approach. |