python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest
Community Favorite
semgrepAuthor
12,102
Download Count*
License
Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.
Run Locally
Run in CI
Defintion
rules:
- id: reflected-data-httpresponsebadrequest
message: Found user-controlled request data passed into a
HttpResponseBadRequest. This could be vulnerable to XSS, leading to
attackers gaining access to user cookies and protected information. Ensure
that the request data is properly escaped or sanitzed.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss
category: security
technology:
- django
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- python
severity: WARNING
patterns:
- pattern-inside: |
def $FUNC(...):
...
- pattern-either:
- pattern: django.http.HttpResponseBadRequest(..., $S.format(...,
request.$W.get(...), ...), ...)
- pattern: django.http.HttpResponseBadRequest(..., $S % request.$W.get(...), ...)
- pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W.get(...)}...",
...)
- pattern: django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)
- pattern: |
$DATA = request.$W.get(...)
...
django.http.HttpResponseBadRequest(..., $DATA, ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: >
$DATA = request.$W.get(...)
...
django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = $STR.format(..., $DATA, ...)
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W.get(...)
...
django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = $STR % $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W.get(...)
...
django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = f"...{$DATA}..."
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W.get(...)
...
django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = $STR + $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: $A = django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)
- pattern: return django.http.HttpResponseBadRequest(..., request.$W.get(...),
...)
- pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W(...),
...), ...)
- pattern: django.http.HttpResponseBadRequest(..., $S % request.$W(...), ...)
- pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W(...)}...",
...)
- pattern: django.http.HttpResponseBadRequest(..., request.$W(...), ...)
- pattern: |
$DATA = request.$W(...)
...
django.http.HttpResponseBadRequest(..., $DATA, ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: >
$DATA = request.$W(...)
...
django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = $STR.format(..., $DATA, ...)
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W(...)
...
django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = $STR % $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W(...)
...
django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = f"...{$DATA}..."
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W(...)
...
django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = $STR + $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: $A = django.http.HttpResponseBadRequest(..., request.$W(...), ...)
- pattern: return django.http.HttpResponseBadRequest(..., request.$W(...), ...)
- pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W[...],
...), ...)
- pattern: django.http.HttpResponseBadRequest(..., $S % request.$W[...], ...)
- pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W[...]}...",
...)
- pattern: django.http.HttpResponseBadRequest(..., request.$W[...], ...)
- pattern: |
$DATA = request.$W[...]
...
django.http.HttpResponseBadRequest(..., $DATA, ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: >
$DATA = request.$W[...]
...
django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = $STR.format(..., $DATA, ...)
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W[...]
...
django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = $STR % $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W[...]
...
django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = f"...{$DATA}..."
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W[...]
...
django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = $STR + $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: $A = django.http.HttpResponseBadRequest(..., request.$W[...], ...)
- pattern: return django.http.HttpResponseBadRequest(..., request.$W[...], ...)
- pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W,
...), ...)
- pattern: django.http.HttpResponseBadRequest(..., $S % request.$W, ...)
- pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W}...", ...)
- pattern: django.http.HttpResponseBadRequest(..., request.$W, ...)
- pattern: |
$DATA = request.$W
...
django.http.HttpResponseBadRequest(..., $DATA, ...)
- pattern: |
$DATA = request.$W
...
$INTERM = $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: >
$DATA = request.$W
...
django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
- pattern: |
$DATA = request.$W
...
$INTERM = $STR.format(..., $DATA, ...)
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W
...
django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
- pattern: |
$DATA = request.$W
...
$INTERM = $STR % $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W
...
django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
- pattern: |
$DATA = request.$W
...
$INTERM = f"...{$DATA}..."
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: |
$DATA = request.$W
...
django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
- pattern: |
$DATA = request.$W
...
$INTERM = $STR + $DATA
...
django.http.HttpResponseBadRequest(..., $INTERM, ...)
- pattern: $A = django.http.HttpResponseBadRequest(..., request.$W, ...)
- pattern: return django.http.HttpResponseBadRequest(..., request.$W, ...)
Examples
reflected-data-httpresponsebadrequest.py
import urllib
from django.db.models import Q
from django.auth import User
from django.http import HttpResponse, HttpResponseBadRequest
from django.utils.translation import ugettext as _
def search_certificates(request):
# ruleid: reflected-data-httpresponsebadrequest
user_filter = request.GET.get("user", "")
if not user_filter:
msg = _("user is not given.")
return HttpResponseBadRequest(msg)
user = User.objects.get(Q(email=user_filter) | Q(username=user_filter))
if user.DoesNotExist:
return HttpResponseBadRequest(_("user '{user}' does not exist").format(user_filter))
def previewNode(request, uid):
"""Preview evaluante node"""
try:
if uid in engines:
# ok: reflected-data-httpresponsebadrequest
_nodeId = request.data.get('nodeId')
engines[uid].stoppable = True
_res = engines[uid].model.previewNode(_nodeId)
if _res is None:
return HttpResponseBadRequest('', status=204)
return HttpResponseBadRequest(_res)
return manageNoEngine()
except Exception as e:
return genericApiException(e, engines[uid])
finally:
engines[uid].stoppable = False
def inline_test(request):
# ruleid: reflected-data-httpresponsebadrequest
return HttpResponseBadRequest("Received {}".format(request.POST.get('message')))
Short Link: https://sg.run/DoZP