chore: add checker to detect request.POST method after is_valid() check (DeepSourceCorp#143)

* chore: add checker to detect request.POST method after is_valid() check

Signed-off-by: Maharshi Basu <basumaharshi10@gmail.com>

* chore: refine checker message

Signed-off-by: Maharshi Basu <basumaharshi10@gmail.com>

* chore: improve checker message, description + add test case

Signed-off-by: Maharshi Basu <basumaharshi10@gmail.com>

---------

Signed-off-by: Maharshi Basu <basumaharshi10@gmail.com>
Signed-off-by: Unnat Sharma <officialunnat30@gmail.com>

Author: MashyBasker

checkers/python/post-after-isvalid.test.py

@@ -0,0 +1,62 @@
+from django.shortcuts import render, redirect
+from .models import *
+from .forms import *
+
+
+# The idea here is to create an model object called a Tournament, with a form for creation called CreateTournamentForm()
+# 
+# Django best practices are to use form.cleaned_data[] after validation to ensure you're accessing well-sanitized data:
+# https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data
+# 
+# Some fairly typical django form object creation handlers
+# This handler does NOT use request.cleaned_data[], even after form.is_valid() has run
+def create_new_tournament_dangerous(request):
+    if request.method == 'POST':
+        form = CreateTournamentForm(request.POST)
+        if form.is_valid():
+# <expect-error>
+            t = Tournament(name=request.POST['name'])
+            t.save()
+            return redirect('index')
+    else:
+        context = { 'form': CreateTournamentForm()}
+        return render(request, 'create_tournament.html', context)
+    
+def create_new_tournament_dangerous(request):
+    if request.method == 'POST':
+        form = CreateTournamentForm(request.POST)
+        if form.is_valid():
+# <expect-error>
+            t = Tournament(name=request.POST.get('name'))
+            t.save()
+            return redirect('index')
+    else:
+        context = { 'form': CreateTournamentForm()}
+        return render(request, 'create_tournament.html', context)
+
+def create_new_tournament_dangerous_post_after_few_lines(request):
+    if request.method == 'POST':
+        form = CreateTournamentForm(request.POST)
+        if form.is_valid():
+            # placeholder comment
+            print("Placeholder print statement")
+            # <expect-error>
+            t = Tournament(name=request.POST.get('name'))
+            t.save()
+            return redirect('index')
+    else:
+        context = { 'form': CreateTournamentForm()}
+        return render(request, 'create_tournament.html', context)
+
+# This handler DOES use request.cleaned_data[], even after form.is_valid() has run
+def create_new_tournament_safe(request):
+    if request.method == 'POST':
+        form = CreateTournamentForm(request.POST)
+        if form.is_valid():
+# <no-error>
+            t = Tournament(name=form.cleaned_data['name'])
+            t.save()
+            return redirect('index')
+    else:
+        context = { 'form': CreateTournamentForm()}
+        return render(request, 'create_tournament.html', context)

checkers/python/post-after-isvalid.yml

@@ -0,0 +1,36 @@
+language: py
+name: post-after-isvalid
+message: Use form.cleaned_data[] after validation instead of request.POST[]
+category: security
+
+pattern: |
+  (subscript
+    value: (attribute
+      object: (identifier) @request
+      attribute: (identifier) @post)
+    subscript: (_)
+    (#eq? @request "request")
+    (#eq? @post "POST")) @post-after-isvalid
+
+  (call
+    function: (attribute
+      object: (attribute
+        object: (identifier) @request
+        attribute: (identifier) @post)
+      attribute: (identifier) @get)
+    (#eq? @request "request")
+    (#eq? @post "POST")
+    (#eq? @get "get")) @post-after-isvalid
+
+filters:
+  - pattern-inside: |
+      (if_statement
+        condition: (call
+          function: (attribute
+            object: (identifier)
+            attribute: (identifier) @isvalid)
+          arguments: (argument_list))
+        (#eq? @isvalid "is_valid"))
+
+description: |
+  Use form.cleaned_data[] instead of request.POST[] or request.POST.get() after form.is_valid() to ensure data is properly sanitized. Directly accessing request.POST[] can expose the application to security risks, including injection attacks.