Skip to main content

Sonar: Set content type to `application/json` for `flask.make_response` with JSON data

sonar:python/flask-json-response-type-S5131

ImportanceReview GuidanceRequires Scanning Tool
MediumMerge Without ReviewYes (Sonar)

This codemod acts upon the following Sonar rules: 'pythonsecurity:S5131'.

The default mimetype for make_response in Flask is 'text/html'. This is true even when the response contains JSON data. If the JSON contains (unsanitized) user-supplied input, a malicious user may supply HTML code which leaves the application vulnerable to cross-site scripting (XSS). This fix explicitly sets the response type to application/json when the response body is JSON data to avoid this vulnerability. Our changes look something like this:

from flask import make_response, Flask
import json

app = Flask(__name__)

@app.route("/test")
def foo(request):
json_response = json.dumps({ "user_input": request.GET.get("input") })
- return make_response(json_response)
+ return make_response(json_response, {'Content-Type':'application/json'})

If you have feedback on this codemod, please let us know!

F.A.Q.

Why is this codemod marked as Merge Without Review?

This change will only restrict the response type and will not alter the response data itself. Thus we deem it safe.

Codemod Settings

N/A

References