Skip to content

Create rule S8370: Query parameters should not be used in Flask POST requests #6008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
github-actions wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Create rule S8370: Query parameters should not be used in Flask POST requests #6008

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5650298
Create rule S8370
joke1196 Jan 6, 2026
03c545b
Update rules/S8370/python/rule.adoc in PR #6008
joke1196 Jan 6, 2026
0de272f
Update rules/S8370/python/metadata.json in PR #6008
joke1196 Jan 6, 2026
1d1ae4e
Fix metadata
joke1196 Jan 22, 2026
e64d3cc
Fix after review
joke1196 Jan 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions rules/S8370/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
{
}
26 changes: 26 additions & 0 deletions rules/S8370/python/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{
"title": "Query parameters should not be used in Flask POST requests",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant/Issue",
"constantCost": "10 min"
},
"tags": [
"flask"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-8370",
"sqKey": "S8370",
"scope": "All",
"defaultQualityProfiles": [
"Sonar way"
],
"quickfix": "unknown",
"code": {
"impacts": {
"MAINTAINABILITY": "HIGH"
},
"attribute": "CONVENTIONAL"
}
}
70 changes: 70 additions & 0 deletions rules/S8370/python/rule.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
This rule raises an issue when a Flask route handles POST requests and accesses query parameters using `request.args`.

== Why is this an issue?

Using query parameters in POST requests violates REST principles and creates poorly designed APIs.

In RESTful design, POST requests should use:

* Path parameters to identify resources (e.g., `/users/123`)
* Request body to send data payload

Query parameters in POST requests have several problems:

* They expose internal implementation details in the URL
* They make APIs less intuitive and harder to understand
* They can reveal sensitive information in server logs, browser history, and referrer headers
* They violate the principle that POST data should be in the request body

For example, using `POST /resource?key=listOfUsers/user1` exposes the internal XPath structure. This tight coupling between the URL and internal data structure makes the API fragile and harder to maintain.

Proper RESTful design keeps resource identification in the path and data in the body, creating cleaner, more maintainable APIs.

=== What is the potential impact?

This design flaw can lead to:

* Poor API usability and developer experience
* Exposure of internal implementation details
* Security risks from sensitive data in URLs
* Maintenance difficulties due to tight coupling
* Violation of REST principles affecting API consistency

== How to fix it

Use path parameters for resource identification and request body for data. Replace query parameters with proper RESTful URL design.

=== Code examples

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
@app.route('/resource', methods=['POST'])
def update_text():
key = request.args.get('key') # Noncompliant
data = request.get_data()
# Process using key from query parameter
return 'Updated'
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
@app.route('/users/<user_id>', methods=['POST'])
def update_user(user_id):
data = request.get_json() # Get data from request body
# Process user_id from path parameter
return 'Updated'
----

== Resources

=== Documentation

* Flask URL Route Registrations - https://flask.palletsprojects.com/en/2.3.x/api/#url-route-registrations[Official Flask documentation on URL routing and path parameters]

* RESTful API Design Best Practices - https://restfulapi.net/rest-api-design-tutorial-with-example/[Comprehensive guide to RESTful API design principles]

* Flask Request Object - https://flask.palletsprojects.com/en/2.3.x/api/#flask.Request[Documentation for Flask's request object and data access methods]
Loading