All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.l10n.py.rules.python.S6556.html Maven / Gradle / Ivy

There is a newer version: 4.23.0.17664
Show newest version

This rule suggests avoiding the use of the built-in Python function "locals()" when passing context to a Django "render()" function.

Why is this an issue?

Using the "locals()" function to pass context to a Django "render()" function can lead to security vulnerabilities and unexpected behavior. "locals()" returns a dictionary of the current local scope, including any sensitive information that may be present in the function’s local namespace. This means that if "locals()" is used to pass context to "render()", sensitive data such as passwords, keys, and other secrets could be leaked.

Additionally, using "locals()" to pass context can make code more difficult to read and understand. It can also make it harder to maintain code over time.

How to fix it

Instead of passing "locals()" to the "render()" function, explicitly define the context dictionary with only the variables that are required. This way, sensitive data is not accidentally included in the context, and the code is easier to read and maintain.

Code examples

Noncompliant code example

def my_view(request):
    username = "alice"
    password = "p@ssw0rd"
    context = locals()
    return render(request, "my_template.html", context)

Compliant solution

def my_view(request):
    username = "alice"
    context = {"username": username}
    return render(request, "my_template.html", context)

Resources

Documentation

Django render() function

Python locals() function





© 2015 - 2024 Weber Informatics LLC | Privacy Policy