python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler

semgrep

Author

7,610

Download Count*

LGPL Commons Clause

License

Accessing request object inside a route handle for HTTP GET command will throw due to missing request body.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: avoid-accessing-request-in-wrong-handler
    patterns:
      - pattern-inside: |
          @app.route(..., method="GET")
          def $X(...):
            ...
      - pattern-either:
          - pattern: |
              $Y = flask.request.json
          - pattern: |
              $Y = flask.request.form
          - pattern: |
              $Y = flask.request.data
    message: Accessing request object inside a route handle for HTTP GET command
      will throw due to missing request body.
    languages:
      - python
    severity: WARNING
    metadata:
      category: correctness
      technology:
        - flask
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

access-request-in-wrong-handler.py

from flask import request

app = Flask(__name__)


@app.route('/', method="GET")
def handler_with_get_json(ff):
  # ruleid:avoid-accessing-request-in-wrong-handler
  r = request.json
  return r

@app.route('/', method="GET")
def handler_with_get_form(ff):
  # ruleid:avoid-accessing-request-in-wrong-handler
  r = request.form
  return r

@app.route('/', method="GET")
def handler_with_data(ff):
  # ruleid:avoid-accessing-request-in-wrong-handler
  r = request.data
  return r

Short Link: https://sg.run/1ZYv