Use of unsanitized data to open API
ID: python-flask/urlopen-unsanitized-data
Language: Python
Severity: Error
Category: Security
CWE: 918
Description
Use of unsanitized from incoming request, leading to potential data leak and lack of control of the service. The code should check any incoming data and make sure it’s safe to use it.
Learn More
Non-Compliant Code Examples
import flask
from urllib.request import urlopen
app = flask.Flask(__name__)
@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
file1 = urlopen(resource_id)
file2 = urlopen(f"/path/to/{resource_id}")
@app.route("/route/to/resource")
def resource2():
resource_id = flask.request.args.get("resource_id")
file1 = urlopen(resource_id)
file2 = urlopen(f"/path/to/{resource_id}")
file3 = urlopen("/path/to/{0}".format(resource_id))
Compliant Code Examples
import flask
from urllib.request import urlopen
app = flask.Flask(__name__)
@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
sanitized_resource_id = sanitize(resource_id)
file1 = urlopen(sanitized_resource_id)
