Use of both safe and unsafe HTTP methods for a view PY-S6007
Allowing both safe and unsafe methods for a view is unsecure
198 return "501", 501
199
200
201@app.route("/deploy/<key>", methods=["GET", "POST"])202def deploy(key):
203 if key == CONFIG.DEPLOY_KEY:
204 # git pull return output
Description
An HTTP method is safe if it doesn't alter the state of the server i.e it leads to a read-only operation.
Common safe HTTP methods: GET, HEAD, and OPTIONS.
Whereas, POST, PUT, and DELETE are unsafe because they alter the server state.
The use of both safe and unsafe HTTP methods on a view makes the application vulnerable to Cross-Site Request Forgery (CSRF). CSRF protections are responsible for protecting operations performed by unsafe HTTP methods. They do not protect if safe HTTP methods used for a route that can change the state of an application.
It is recommended to use safe HTTP methods only when read-only operations need to be performed. Don't use safe and unsafe methods together.
Bad practice
For Django:
from django.views.decorators.http import require_http_methods
@require_http_methods(["GET", "POST"]) # Sensitive
def register(request):
...
For Flask:
import flask
from flask import Flask
app = Flask(__name__)
@app.route('/sensitive', methods=['GET', 'POST']) # Sensitive
def register():
...
Recommended
For Django
from django.views.decorators.http import require_POST, require_GET
@require_POST
def register(request):
...
@require_GET
def post(request):
...
For Flask
import flask
from flask import Flask
app = Flask(__name__)
@app.route('/sensitive', methods=['POST']) # Sensitive
def register():
...
@app.route('/sensitive', methods=['GET']) # Sensitive
def hello_world():
return "Hello World"
References:
- OWASP Top 10 2021 Category A04 - Insecure Design
- SANS 25
- CWE-352
- Cross Site Request Forgery