python.django.security.injection.request-data-write.request-data-write
semgrepAuthor
6,591
Download Count*
License
Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.
Run Locally
Run in CI
Defintion
rules:
- id: request-data-write
message: Found user-controlled request data passed into '.write(...)'. This
could be dangerous if a malicious actor is able to control data into
sensitive files. For example, a malicious actor could force rolling of
critical log files, or cause a denial-of-service by using up available
disk space. Instead, ensure that request data is properly escaped or
sanitized.
metadata:
cwe:
- "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"
owasp:
- A03:2021 - Injection
category: security
technology:
- django
references:
- https://owasp.org/Top10/A03_2021-Injection
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Validation
languages:
- python
severity: WARNING
pattern-either:
- pattern: $F.write(..., request.$W.get(...), ...)
- pattern: |
$DATA = request.$W.get(...)
...
$F.write(..., $DATA, ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = $DATA
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W.get(...)
...
$F.write(..., $B.$C(..., $DATA, ...), ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = $B.$C(..., $DATA, ...)
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W.get(...)
...
$F.write(..., $STR % $DATA, ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = $STR % $DATA
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W.get(...)
...
$F.write(..., f"...{$DATA}...", ...)
- pattern: |
$DATA = request.$W.get(...)
...
$INTERM = f"...{$DATA}..."
...
$F.write(..., $INTERM, ...)
- pattern: $A = $F.write(..., request.$W.get(...), ...)
- pattern: return $F.write(..., request.$W.get(...), ...)
- pattern: $F.write(..., request.$W(...), ...)
- pattern: |
$DATA = request.$W(...)
...
$F.write(..., $DATA, ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = $DATA
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W(...)
...
$F.write(..., $B.$C(..., $DATA, ...), ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = $B.$C(..., $DATA, ...)
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W(...)
...
$F.write(..., $STR % $DATA, ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = $STR % $DATA
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W(...)
...
$F.write(..., f"...{$DATA}...", ...)
- pattern: |
$DATA = request.$W(...)
...
$INTERM = f"...{$DATA}..."
...
$F.write(..., $INTERM, ...)
- pattern: $A = $F.write(..., request.$W(...), ...)
- pattern: return $F.write(..., request.$W(...), ...)
- pattern: $F.write(..., request.$W[...], ...)
- pattern: |
$DATA = request.$W[...]
...
$F.write(..., $DATA, ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = $DATA
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W[...]
...
$F.write(..., $B.$C(..., $DATA, ...), ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = $B.$C(..., $DATA, ...)
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W[...]
...
$F.write(..., $STR % $DATA, ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = $STR % $DATA
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W[...]
...
$F.write(..., f"...{$DATA}...", ...)
- pattern: |
$DATA = request.$W[...]
...
$INTERM = f"...{$DATA}..."
...
$F.write(..., $INTERM, ...)
- pattern: $A = $F.write(..., request.$W[...], ...)
- pattern: return $F.write(..., request.$W[...], ...)
- pattern: $F.write(..., request.$W, ...)
- pattern: |
$DATA = request.$W
...
$F.write(..., $DATA, ...)
- pattern: |
$DATA = request.$W
...
$INTERM = $DATA
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W
...
$F.write(..., $B.$C(..., $DATA, ...), ...)
- pattern: |
$DATA = request.$W
...
$INTERM = $B.$C(..., $DATA, ...)
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W
...
$F.write(..., $STR % $DATA, ...)
- pattern: |
$DATA = request.$W
...
$INTERM = $STR % $DATA
...
$F.write(..., $INTERM, ...)
- pattern: |
$DATA = request.$W
...
$F.write(..., f"...{$DATA}...", ...)
- pattern: |
$DATA = request.$W
...
$INTERM = f"...{$DATA}..."
...
$F.write(..., $INTERM, ...)
- pattern: $A = $F.write(..., request.$W, ...)
- pattern: return $F.write(..., request.$W, ...)
Examples
request-data-write.py
import time
from django.contrib.auth.models import User
from django.http import HttpResponse
from . import settings as USettings
def save_scrawl_file(request, filename):
import base64
try:
# ruleid: request-data-write
content = request.POST.get(USettings.UEditorUploadSettings.get("scrawlFieldName", "upfile"))
f = open(filename, 'wb')
f.write(base64.decodestring(content))
f.close()
state = "SUCCESS"
except Exception as e:
state = u"写入图片文件错误:%s" % e
return state
def save_file(request):
# ok: request-data-write
user = User.objects.get(username=request.session.get('user'))
content = "user logged in at {}".format(time.time())
f = open("{}-{}".format(user, time.time()), 'wb')
f.write(content)
f.close()
Short Link: https://sg.run/0Q6j