Decorator api_view(["POST"]) flagged as a security hotspot

ALM: Github
CI: Github Actions
Language and framework: Python, Django, Django Rest Framework
Steps to reproduce:
I have a piece of code as follows:

def view(request):
    return Response("")

The above code is written using django and django rest framework.
Sonarcloud flags the code as a security hotspot violating this rule: [RSPEC-3752] - Jira.
It recommends replacing the api_view decorator with the require_POST decorator as follows:

def view(request):
    return HttpResponse("")

The decorator api_view is from django rest framework.
The decorator require_POST is from django
Can you tell me the difference between the decorators api_view([“POST”]) and require_POST from a security perspective.

Hi Sam!

Welcome to our community! At Sonar, we really value our users’ feedback. In that regard, I would like to thank you for reaching out to us.

Currently, our analyzer does not support the @api_view decorator you use. Therefore, the rule raises as if no decorator was present, which would allow all methods on the view.

From a quick look, it does not seem like there is any security-relevant difference between using @require_POST and @api_view(["POST"]) in your case. Before a more satisfying solution exists, you can safely mark this issue as a false positive.
On my side, I created a ticket to track this issue in our internal Jira so that we can further investigate and fix this issue in our products.

Let us know if this is helpful.

Best regards.


1 Like

Thank you Gaetan for the quick response.

Hi ,
I am not able to mark this issue as False Positive. Can your team do it at your end

Sam Joy

Hi Sam,

Could you be more precise about the issue you face?

In the case of security hotspots, you should be able to set them as safe in the security hotspot view.

If this is unhandy in your case, you can also disable this particular rule in your project configuration under Administration - General Settings / Issues.



Hi Gaetan,

You said to mark this issue as False Positive. I had assumed you meant there would be a False Positive option in the list. As there wasn’t any, I then thought you meant I should tag this given post, in the sonarsource commuinty, as False Positive. But there is no option to add more tags.