DeepSourceCorp · sourya-deepsource · Apr 7, 2025 · Feb 27, 2025 · Feb 27, 2025 · Mar 10, 2025
diff --git a/checkers/python/post-after-isvalid.test.py b/checkers/python/post-after-isvalid.test.py
@@ -0,0 +1,48 @@
+from django.shortcuts import render, redirect
+from .models import *
+from .forms import *
+
+
+# The idea here is to create an model object called a Tournament, with a form for creation called CreateTournamentForm()
+# 
+# Django best practices are to use form.cleaned_data[] after validation to ensure you're accessing well-sanitized data:
+# https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data
+# 
+# Some fairly typical django form object creation handlers
+# This handler does NOT use request.cleaned_data[], even after form.is_valid() has run
+def create_new_tournament_dangerous(request):
+    if request.method == 'POST':
+        form = CreateTournamentForm(request.POST)
+        if form.is_valid():
+# <expect-error>
+            t = Tournament(name=request.POST['name'])
+            t.save()
+            return redirect('index')
+    else:
+        context = { 'form': CreateTournamentForm()}
+        return render(request, 'create_tournament.html', context)
+
+def create_new_tournament_dangerous(request):
+    if request.method == 'POST':
+        form = CreateTournamentForm(request.POST)
+        if form.is_valid():
+# <expect-error>
+            t = Tournament(name=request.POST.get('name'))
+            t.save()
+            return redirect('index')
+    else:
+        context = { 'form': CreateTournamentForm()}
+        return render(request, 'create_tournament.html', context)
+
+# This handler DOES use request.cleaned_data[], even after form.is_valid() has run
+def create_new_tournament_safe(request):
+    if request.method == 'POST':
+        form = CreateTournamentForm(request.POST)
+        if form.is_valid():
+# <no-error>
+            t = Tournament(name=form.cleaned_data['name'])
+            t.save()
+            return redirect('index')
+    else:
+        context = { 'form': CreateTournamentForm()}
+        return render(request, 'create_tournament.html', context)
diff --git a/checkers/python/post-after-isvalid.yml b/checkers/python/post-after-isvalid.yml
@@ -0,0 +1,36 @@
+language: py
+name: post-after-isvalid
+message: After form.is_valid(), use form.cleaned_data[] instead of request.POST[] or request.POST.get() to ensure data is sanitized.
+category: security
+
+pattern: |
+  (subscript
+    value: (attribute
+      object: (identifier) @request
+      attribute: (identifier) @post)
+    subscript: (_)
+    (#eq? @request "request")
+    (#eq? @post "POST")) @post-after-isvalid
+
+  (call
+    function: (attribute
+      object: (attribute
+        object: (identifier) @request
+        attribute: (identifier) @post)
+      attribute: (identifier) @get)
+    (#eq? @request "request")
+    (#eq? @post "POST")
+    (#eq? @get "get")) @post-after-isvalid
+
+filters:
+  - pattern-inside: |
+      (if_statement
+        condition: (call
+          function: (attribute
+            object: (identifier)
+            attribute: (identifier) @isvalid)
+          arguments: (argument_list))
+        (#eq? @isvalid "is_valid"))
+
+description: |
+  Use form.cleaned_data[] instead of request.POST[]/request.POST.get() after form.is_valid() to access only sanitized data