globstar/checkers/python/post-after-isvalid.yml at 3d36d4f4f76b9c2923dc60decbce90e0d0e7bc53 · MashyBasker/globstar · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
language: py
name: post-after-isvalid
message: After form.is_valid(), use form.cleaned_data[] instead of request.POST[] or request.POST.get() to ensure data is sanitized.
category: security

pattern: |
  (subscript
    value: (attribute
      object: (identifier) @request
      attribute: (identifier) @post)
    subscript: (_)
    (#eq? @request "request")
    (#eq? @post "POST")) @post-after-isvalid

  (call
    function: (attribute
      object: (attribute
        object: (identifier) @request
        attribute: (identifier) @post)
      attribute: (identifier) @get)
    (#eq? @request "request")
    (#eq? @post "POST")
    (#eq? @get "get")) @post-after-isvalid

filters:
  - pattern-inside: |
      (if_statement
        condition: (call
          function: (attribute
            object: (identifier)
            attribute: (identifier) @isvalid)
          arguments: (argument_list))
        (#eq? @isvalid "is_valid"))

description: |
  Use form.cleaned_data[] instead of request.POST[]/request.POST.get() after form.is_valid() to access only sanitized data