Kingdom: Encapsulation
Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
Django Bad Practices: Attributes in Deny List
Abstract
The application uses a deny list to control which attributes are exposed by a form. Developers can forget to update the deny list when adding new attributes and may accidentally expose sensitive fields to attackers.
Explanation
The application uses an
Example 1: The following form exposes some
If
exclude
deny list. This is hard to maintain and error prone. If developers add new fields to the form or Model
that backs up the form and forget to update the exclude
filter, they may be exposing sensitive fields to attackers. Attackers will be able to submit and bind malicious data to any non-excluded field.Example 1: The following form exposes some
User
attributes but checks a deny list for the user id
:
from myapp.models import User
...
class UserForm(ModelForm):
class Meta:
model = User
exclude = ['id']
...
If
User
model was updated with a new role
attribute and the associated UserForm
was not updated, the role
attribute would be exposed in the form.References
[1] Django Foundation Creating forms from models
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[4] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
desc.structural.python.django_bad_practices_attributes_in_deny_list