form-validation

Try in Playground
python-flaskSecurityWarning

0

inputvalidation
CWE-20

If Flask application is using Flask-WTF to create forms, we ensure that we are correctly defining the validators to validate the data form.

See CWE-20 - Improper Input Validation

Ast Rule: function call


form-validation

How to write a rule
function visit(node, filename, code) {
	const FUNCTION_NAMES = ["StringField", "PasswordField", "BooleanField"];  
  // If filename starts or ends with test_ or _test, do not do anything
  if(filename.includes("_test.py") || filename.startsWith("test_")) {
    return;
  }
  
  if(!node.functionName){
    console.log("bplop");
    return;
  }
  
  if(!FUNCTION_NAMES.includes(node.functionName.value)){
    return;
  }
  
  
  // Get the list of argument
  const arguments = (node.arguments && node.arguments.values) || [];
  
  // Get all the package list that are imported with "import <name>"
  const useWtfForms = node.context.imports.filter(r => r.pkg && r.pkg.value === "wtforms").length > 0;
  
	const hasValidatorsArgument = arguments.filter(a => a.name && a.name.value === "validators").length > 0;
  console.log(hasValidatorsArgument);
  
  if(!hasValidatorsArgument){
    // build the error
    const error = buildError(node.start.line, node.start.col, 
                             node.end.line, node.end.col, 
                             `${node.functionName.value} does not use validators`, "WARNING", "CRITICAL");
    // build the fix (replace foo by bar)
    
    const edit = buildEditAdd(node.end.line, node.end.col - 1,
                             arguments.length > 0 ? ", validators=[]" : "validators=[]")
    // build a fix with one edit
    const fix = buildFix("add validators", [edit]);
    
    // report an error with a fix
    addError(error.addFix(fix));
  }
}
  

has-errors-with-arguments.py

Expected test result: has error

from flask_wtf import FlaskForm
from wtforms import StringField
from wtforms.validators import DataRequired

class MyForm(FlaskForm):
    name = StringField('name')

no-wtform-package.used

Expected test result: has error

from flask_wtf import FlaskForm


class MyForm(FlaskForm):
    name = StringField()

no-error.py

Expected test result: no error

from flask_wtf import FlaskForm
from wtforms import StringField
from wtforms.validators import DataRequired

class MyForm(FlaskForm):
    name = StringField('name', validators=[DataRequired()])

has-errors-without-arguments.py

Expected test result: has error

Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Explore
  • Cookbooks
  • Playground
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.