All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.l10n.py.rules.python.S3752.html Maven / Gradle / Ivy

There is a newer version: 4.23.0.17664
Show newest version

An HTTP method is safe when used to perform a read-only operation, such as retrieving information. In contrast, an unsafe HTTP method is used to change the state of an application, for instance to update a user’s profile on a web application.

Common safe HTTP methods are GET, HEAD, or OPTIONS.

Common unsafe HTTP methods are POST, PUT and DELETE.

Allowing both safe and unsafe HTTP methods to perform a specific operation on a web application could impact its security, for example CSRF protections are most of the time only protecting operations performed by unsafe HTTP methods.

Ask Yourself Whether

  • HTTP methods are not defined at all for a route/controller of the application.
  • Safe HTTP methods are defined and used for a route/controller that can change the state of an application.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

For all the routes/controllers of an application, the authorized HTTP methods should be explicitly defined and safe HTTP methods should only be used to perform read-only operations.

Sensitive Code Example

For Django:

# No method restriction
def view(request):  # Sensitive
    return HttpResponse("...")
@require_http_methods(["GET", "POST"])  # Sensitive
def view(request):
    return HttpResponse("...")

For Flask:

@methods.route('/sensitive', methods=['GET', 'POST'])  # Sensitive
def view():
    return Response("...", 200)

Compliant Solution

For Django:

@require_http_methods(["POST"])
def view(request):
    return HttpResponse("...")
@require_POST
def view(request):
    return HttpResponse("...")
@require_GET
def view(request):
    return HttpResponse("...")
@require_safe
def view(request):
    return HttpResponse("...")

For Flask:

@methods.route('/compliant1')
def view():
    return Response("...", 200)
@methods.route('/compliant2', methods=['GET'])
def view():
    return Response("...", 200)

See





© 2015 - 2024 Weber Informatics LLC | Privacy Policy