-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Modify rule S5144: Add aiohttp support (APPSEC-1248) (#3373)
## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
- Loading branch information
1 parent
0985aec
commit 32a9027
Showing
3 changed files
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -78,6 +78,7 @@ | |
| * Django | ||
| * Django Templates | ||
| * Flask | ||
| * aiohttp | ||
| * Jinja | ||
| * lxml | ||
| * Paramiko | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| == How to fix it in aiohttp | ||
|
|
||
| === Code examples | ||
|
|
||
| include::../../common/fix/code-rationale.adoc[] | ||
|
|
||
| ==== Noncompliant code example | ||
|
|
||
| [source,python,diff-id=31,diff-type=noncompliant] | ||
| ---- | ||
| from fastapi import FastAPI | ||
| import aiohttp | ||
| app = FastAPI() | ||
| @app.get('/example') | ||
| async def example(url: str): | ||
| async with aiohttp.request('GET', url) as response: # Noncompliant | ||
| return {"response": await response.text()} | ||
| ---- | ||
|
|
||
| ==== Compliant solution | ||
|
|
||
| [source,python,diff-id=31,diff-type=compliant] | ||
| ---- | ||
| from fastapi import FastAPI | ||
| from fastapi.responses import JSONResponse | ||
| import aiohttp | ||
| from urllib.parse import urlparse | ||
| DOMAINS_ALLOWLIST = ['trusted1.example.com', 'trusted2.example.com']; | ||
| app = FastAPI() | ||
| @app.get('/example') | ||
| async def example(url: str): | ||
| if urlparse(url).hostname not in DOMAINS_ALLOWLIST: | ||
| return JSONResponse({"error": f"URL {url} is not whitelisted."}, 400) | ||
| async with aiohttp.request('GET', url.unicode_string()) as response: | ||
| return {"response": await response.text()} | ||
| ---- | ||
|
|
||
| === How does this work? | ||
|
|
||
| include::../../common/fix/pre-approved-list.adoc[] | ||
|
|
||
| The compliant code example uses such an approach. | ||
|
|
||
| === Pitfalls | ||
|
|
||
| include::../../common/pitfalls/starts-with.adoc[] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters