python.flask.security.audit.host-header-injection-python.host-header-injection-python

profile photo of semgrepsemgrep
Author
unknown
Download Count*

The flask.request.host is used to construct an HTTP request. This can lead to host header injection issues. Vulnerabilities that generally occur due to this issue are authentication bypasses, password reset issues, Server-Side-Request-Forgery (SSRF), and many more. It is recommended to validate the URL before passing it to a request library, or using application logic such as authentication or password resets.

Run Locally

Run in CI

Defintion

rules:
  - id: host-header-injection-python
    message: The `flask.request.host` is used to construct an HTTP request.  This
      can lead to host header injection issues. Vulnerabilities  that generally
      occur due to this issue are authentication bypasses,  password reset
      issues, Server-Side-Request-Forgery (SSRF), and many more.  It is
      recommended to validate the URL before passing it to a  request library,
      or using application logic such as authentication  or password resets.
    patterns:
      - pattern-either:
          - pattern: |
              $X = <... "=~/.*http[s]*:///" + flask.request.host ...>;
          - pattern: |
              $X = <... "=~/.*http[s]*:///" + flask.request["host"] ...>;
          - pattern: |
              $Z = flask.request.host;
              ...
              $X = <... "=~/.*http[s]*:///" + $Z ...>;
          - pattern: |
              $Z = flask.request["host"];
              ...
              $X = <... "=~/.*http[s]*:///" + $Z ...>;
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC():
            ...
    languages:
      - python
    severity: INFO
    metadata:
      cwe:
        - "CWE-20: Improper Input Validation"
      category: security
      references:
        - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
        - https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
      technology:
        - flask
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation

Examples

host-header-injection-python.py

from flask import Flask, request, render_template
from flask_mail import Mail, Message
import smtplib

app = Flask(__name__)

mail = Mail(app)

@app.route("/reset_password", methods=["POST"])
def reset_password():
    email = request.form.get("email")
    if not email:
        return "Invalid email", 400
    # ruleid: host-header-injection-python
    reset_link = "https://"+request.host+"reset/"+request.headers.get('reset_token')
    # ok: host-header-injection-python
    reset_link = "https://"+request.foo+"reset/"+request.headers.get('reset_token')
    msg = Message('Password reset request', recipients=[email])
    msg.body = "Please click on the link to reset your password: " + reset_link
    mail.send(msg)
    return "Password reset email sent!"

if __name__ == '__main__':
    app.run(debug=True)