保护 Flask 上的 POST 请求
[英]Securing a POST request on Flask
问题描述
I built a simple Flask application that receives a POST request and performs some actions after receiving it.
我构建了一个简单的 Flask 应用程序,它接收一个 POST 请求并在接收到它后执行一些操作。 Here is my simple code:这是我的简单代码:
@app.route('/<user>/', methods=['POST'])
def Receiver(user):
Query = User.query.filter_by(token=user)
Content = request.data.decode('UTF-8')
Data = {'Content': Content, 'Username': Query.Username, 'UserID': Query.UserID}
return jsonify(Data)
I would like to make this code as safe as possible, but i'm just getting started to Flask and security in general.我想让这段代码尽可能安全,但我才刚刚开始使用 Flask 和一般的安全性。 What dangers can i run using this code?使用此代码我会遇到什么危险? I'm using the variable user to make a query to my database, can it be harmful if that variable gets set to an SQL query, for example?我正在使用变量user对我的数据库进行查询,例如,如果将该变量设置为 SQL 查询,会不会有害? What other threats should i consider in this case?在这种情况下,我应该考虑哪些其他威胁?
2 个解决方案
解决方案1
2 已采纳 2020-07-22 21:22:10
Here some of my thoughts to your question:以下是我对您的问题的一些想法:
- Why is this a POST request and not a GET request?为什么这是 POST 请求而不是 GET 请求? POST requests are meant to change data , GETs are for queries. POST 请求用于更改数据,GET 用于查询。
- You don't validate input data.您不验证输入数据。 What happens, if the user sends you eg a 100kB long user name?如果用户向您发送例如 100kB 长的用户名,会发生什么? How will the database handle it?数据库将如何处理它? Will it have impact on performance?会对性能有影响吗? Will it allow a DOS attack on server/database?它会允许对服务器/数据库进行 DOS 攻击吗?
- Yes, SQL injection too.是的,SQL 也注入了。 Everywhere where relational databases are concerned.涉及关系数据库的任何地方。
- What if the user ID does not exist?如果用户 ID 不存在怎么办? Should we not return 404?我们不应该返回 404 吗?
- What is actually security?什么是真正的安全? What is safety?什么是安全? The two terms are not interchangeable.这两个术语不可互换。 Safety is when the code does not harm the world.安全是代码不会伤害世界的时候。 Security is when the world does not harm the code.安全是世界不会损害代码的时候。
- There is a wide variety of things to consider that could impact your code security (meaning providing confidentiality, integrity and accessibility of the data the code touches), that are unrelated to your code like: communication channel protection, server misconfigurations, DDOS attacks... Even if your code is perfect, the system holding it might still be insecure.有各种各样的事情需要考虑可能会影响您的代码安全性(意味着提供代码所接触数据的机密性、完整性和可访问性),这些与您的代码无关,例如:通信通道保护、服务器错误配置、DDOS 攻击。 . 即使你的代码是完美的,持有它的系统可能仍然不安全。
解决方案2
2 2020-07-22 21:37:23
Just to add to what Marek said, would also recommend changing to a GET... As long as there's no sensitive information being passed along in the URL.只是为了补充 Marek 所说的内容,还建议更改为 GET ......只要 URL 中没有传递敏感信息。 This link nicely explains the differences.这个链接很好地解释了这些差异。 It might be a good idea to look at encrypting the URL token string too, so that any parameters aren't passed over in plain text, as this leaves room for vulnerability.考虑加密 URL 令牌字符串可能是一个好主意,这样任何参数都不会以纯文本形式传递,因为这为漏洞留下了空间。
Alongside this, if the site is to be made live- definitely ensure to use SSL encryption.除此之外,如果要使网站上线,请务必确保使用 SSL 加密。
In terms of SQL validation, you'll need to sanitize the input before it ever reaches the database.在 SQL 验证方面,您需要在输入到达数据库之前对其进行清理。 You can do this in Flask, simply by using the HTML escape special chars... But Flask provides their own function.您可以在 Flask 中执行此操作,只需使用 HTML 转义特殊字符...但是 Flask 提供了自己的 ZC1C4140268E68A4747。 This link might help in that regard. 此链接可能在这方面有所帮助。
In terms of error handling, I found this tutorial mighty useful.在错误处理方面,我发现本教程非常有用。 That whole series of blog posts walks you right the way through.整个系列的博客文章将引导您完成整个过程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.