a3fd54b8a4
* Add HTTPX * Enhance compliant code sample * Keep samples consistent * Simplify compliant example somewhat
53 lines
1.1 KiB
Plaintext
53 lines
1.1 KiB
Plaintext
== How to fix it in HTTPX
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=21,diff-type=noncompliant]
|
|
----
|
|
from fastapi import FastAPI
|
|
import httpx
|
|
|
|
app = FastAPI()
|
|
|
|
@app.get('/example')
|
|
def example(url: str):
|
|
r = httpx.get(url) # Noncompliant
|
|
return {"response": r.text}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=21,diff-type=compliant]
|
|
----
|
|
from fastapi import FastAPI
|
|
from fastapi.responses import JSONResponse
|
|
import httpx
|
|
from urllib.parse import urlparse
|
|
|
|
DOMAINS_ALLOWLIST = ['trusted1.example.com', 'trusted2.example.com']
|
|
app = FastAPI()
|
|
|
|
@app.get('/example')
|
|
def example(url: str):
|
|
if not urlparse(url).hostname in DOMAINS_ALLOWLIST:
|
|
return JSONResponse({"error": f"URL {url} is not whitelisted."}, 400)
|
|
|
|
r = httpx.get(url)
|
|
return {"response": r.text}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/pre-approved-list.adoc[]
|
|
|
|
The compliant code example uses such an approach.
|
|
HTTPX implicitly validates the scheme as it only allows `http` and `https` by default.
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/starts-with.adoc[]
|