python.flask.security.flask-api-method-string-format.flask-api-method-string-format
semgrep
Author
1,200
Download Count*
License
Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD
Run Locally
Run in CI
Defintion
rules:
- id: flask-api-method-string-format
patterns:
- pattern-either:
- pattern: |
def $METHOD(...,$ARG,...):
...
$STRING = "...".format(...,$ARG,...)
...
... = requests.$REQMETHOD($STRING,...)
- pattern: |
def $METHOD(...,$ARG,...):
...
... = requests.$REQMETHOD("...".format(...,$ARG,...),...)
- pattern-inside: |
class $CLASS(...):
method_decorators = ...
...
message: Method $METHOD in API controller $CLASS provides user arg $ARG to
requests method $REQMETHOD
severity: ERROR
languages:
- python
metadata:
cwe:
- "CWE-134: Use of Externally-Controlled Format String"
category: security
technology:
- flask
references:
- https://cwe.mitre.org/data/definitions/134.html
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Validation
Examples
flask-api-method-string-format.py
import requests
class FOO(resource):
method_decorators = decorator()
# ok:flask-api-method-string-format
def get(self, somearg):
createRecord(somearg)
# ruleid:flask-api-method-string-format
def get(self, arg1):
print("foo")
string = "foo".format(arg1)
foo = requests.get(string)
# ok:flask-api-method-string-format
def get(self, somearg):
otherFunc("hello world")
# ruleid:flask-api-method-string-format
def get2(self,arg2):
someFn()
bar = requests.get("foo".format(arg2))
Short Link: https://sg.run/bDWr