Use of unsanitized data to open API
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: python-flask/urlopen-unsanitized-data
Language: Python
Severity: Error
Category: Security
CWE: 918
Description
Use of unsanitized from incoming request, leading to potential data leak and lack of control of the service. The code should check any incoming data and make sure it’s safe to use it.
Learn More
Non-Compliant Code Examples
import flask
from urllib.request import urlopen
app = flask.Flask(__name__)
@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
file1 = urlopen(resource_id)
file2 = urlopen(f"/path/to/{resource_id}")
@app.route("/route/to/resource")
def resource2():
resource_id = flask.request.args.get("resource_id")
file1 = urlopen(resource_id)
file2 = urlopen(f"/path/to/{resource_id}")
file3 = urlopen("/path/to/{0}".format(resource_id))
Compliant Code Examples
import flask
from urllib.request import urlopen
app = flask.Flask(__name__)
@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
sanitized_resource_id = sanitize(resource_id)
file1 = urlopen(sanitized_resource_id)
