python.flask.security.unsanitized-input.response-contains-unsanitized-input

Community Favorite
profile photo of returntocorpreturntocorp
Author
48,348
Download Count*

Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user's browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).

Run Locally

Run in CI

Defintion

rules:
  - id: response-contains-unsanitized-input
    message: Flask response reflects unsanitized user input. This could lead to a
      cross-site scripting vulnerability
      (https://owasp.org/www-community/attacks/xss/) in which an attacker causes
      arbitrary code to be executed in the user's browser. To prevent, please
      sanitize the user input, e.g. by rendering the response in a Jinja2
      template (see considerations in
      https://flask.palletsprojects.com/en/1.0.x/security/).
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://flask.palletsprojects.com/en/1.0.x/security/
        - https://owasp.org/www-community/attacks/xss/
      category: security
      technology:
        - flask
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: WARNING
    pattern-either:
      - pattern: |
          $X = flask.request.args.get(...)
          ...
          flask.make_response("...".format($X))
      - pattern: |
          $X = flask.request.args.get(...)
          ...
          flask.make_response(f"...{$X}...")
      - pattern: |
          $X = flask.request.args.get(...)
          ...
          flask.make_response(f"...{$X}")
      - pattern: |
          $X = flask.request.args.get(...)
          ...
          flask.make_response(f"{$X}...")

Examples

unsanitized-input.py

from flask import make_response, request

def test1():
    # ruleid: response-contains-unsanitized-input
    x = request.args.get("x")
    return make_response("found {}".format(x))


def test1():
    # ruleid: response-contains-unsanitized-input
    x = request.args.get("x")
    y = make_response("found {}".format(x))
    return y


def test2():
    # ok: response-contains-unsanitized-input
    x = request.args.get("x")
    y = some_safe_operation_on(x)
    return make_response("found {}".format(y))


def test3():
    # ruleid: response-contains-unsanitized-input
    x = request.args.get("x")
    return make_response(f"found {x}")