Sonar: Set content type to `application/json` for `flask.make_response` with JSON data
sonar:python/flask-json-response-type-S5131​
Importance | Review Guidance | Requires Scanning Tool |
---|---|---|
Medium | Merge Without Review | Yes (Sonar) |
This codemod acts upon the following Sonar rules: pythonsecurity:S5131.
The default mimetype
for make_response
in Flask is 'text/html'
. This is true even when the response contains JSON data.
If the JSON contains (unsanitized) user-supplied input, a malicious user may supply HTML code which leaves the application vulnerable to cross-site scripting (XSS).
This fix explicitly sets the response type to application/json
when the response body is JSON data to avoid this vulnerability. Our changes look something like this:
from flask import make_response, Flask
import json
app = Flask(__name__)
@app.route("/test")
def foo(request):
json_response = json.dumps({ "user_input": request.GET.get("input") })
- return make_response(json_response)
+ return make_response(json_response, {'Content-Type':'application/json'})
If you have feedback on this codemod, please let us know!
F.A.Q.​
Why is this codemod marked as Merge Without Review?​
This change will only restrict the response type and will not alter the response data itself. Thus we deem it safe.
Codemod Settings​
N/A