PY-S6007 · Use of both safe and unsafe HTTP methods for a view

Use of both safe and unsafe HTTP methods for a view PY-S6007

Security

Major

5 months ago — a year old

Allowing both safe and unsafe methods for a view is unsecure

673    return redirect(make_frontend_url(f'orders/{order_identifier}/view'))
674
675
676@order_misc_routes.route(677    '/orders/<string:order_identifier>/paytm/initiate-transaction',
678    methods=['POST', 'GET'],
679)

Allowing both safe and unsafe methods for a view is unsecure

app/api/orders.py

633        return jsonify(status=False, error='Source object status error')
634
635
636@order_misc_routes.route(637    '/orders/<string:order_identifier>/omise-checkout', methods=['POST', 'GET']
638)
639@jwt_required

Allowing both safe and unsafe methods for a view is unsecure

app/api/orders.py

612        raise BadRequestError({'source': ''}, 'Source creation error')
613
614
615@alipay_blueprint.route(616    '/alipay_return_uri/<string:order_identifier>', methods=['GET', 'POST']
617)
618def alipay_return_uri(order_identifier):

Allowing both safe and unsafe methods for a view is unsecure

app/api/orders.py

584    return jsonify(status=status, error=error)
585
586
587@alipay_blueprint.route(588    '/create_source/<string:order_identifier>', methods=['GET', 'POST']
589)
590@jwt_required

Allowing both safe and unsafe methods for a view is unsecure

app/api/event_invoices.py

168    return jsonify(status=False, error=response)
169
170
171@order_misc_routes.route(172    '/event-invoices/<string:invoice_identifier>/charge', methods=['POST', 'GET']
173)
174@jwt_required

Description

An HTTP method is safe if it doesn't alter the state of the server i.e it leads to a read-only operation. Common safe HTTP methods: GET, HEAD, and OPTIONS. Whereas, POST, PUT, and DELETE are unsafe because they alter the server state.

The use of both safe and unsafe HTTP methods on a view makes the application vulnerable to Cross-Site Request Forgery (CSRF). CSRF protections are responsible for protecting operations performed by unsafe HTTP methods. They do not protect if safe HTTP methods used for a route that can change the state of an application.

It is recommended to use safe HTTP methods only when read-only operations need to be performed. Don't use safe and unsafe methods together.

Bad practice

For Django:

from django.views.decorators.http import require_http_methods

@require_http_methods(["GET", "POST"]) # Sensitive
def register(request):
    ...

For Flask:

import flask

from flask import Flask

app = Flask(__name__)

@app.route('/sensitive', methods=['GET', 'POST'])  # Sensitive
def register():
    ...

References:

OWASP Top 10 2021 Category A04 - Insecure Design
SANS 25
CWE-352
Cross Site Request Forgery

fossasia / open-event-server

Bad practice

Recommended

References: