My open source repo has an example Flask (view)[test sonar nosq by clavedeluna · Pull Request #508 · pixee/codemodder-python · GitHub] that uses the example from the (sonar nosql rule)[Python static code analysis] (except with correct code). However, the sonarcloud analysis (here)[SonarCloud] did not pick up the nosql vulnerability. I checked that the quality profile it uses has this rule enabled and it is enabled. Anything else I can do?
Hey Dani,
the issue is not found because request
is not used correctly. Try it like this:
import boto3
from flask import Flask, request
import os
app = Flask(__name__)
AWS_SESSION = boto3.Session(
aws_access_key_id="YOUR_ACCESS_KEY",
aws_secret_access_key="YOUR_SECRET_KEY",
region_name="YOUR_REGION",
)
@app.route("/login")
def login():
dynamodb = AWS_SESSION.client("dynamodb")
username = request.args["username"]
password = request.args["password"]
dynamodb.scan(
FilterExpression="username = " + username + " and password = " + password,
TableName="users",
ProjectionExpression="username",
)
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.