Kingdom: Encapsulation

Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.

Django Bad Practices: Attributes in Deny List

Abstract
The application uses a deny list to control which attributes are exposed by a form. Developers can forget to update the deny list when adding new attributes and may accidentally expose sensitive fields to attackers.
Explanation
The application uses an exclude deny list. This is hard to maintain and error prone. If developers add new fields to the form or Model that backs up the form and forget to update the exclude filter, they may be exposing sensitive fields to attackers. Attackers will be able to submit and bind malicious data to any non-excluded field.

Example 1: The following form exposes some User attributes but checks a deny list for the user id:


from myapp.models import User
...
class UserForm(ModelForm):
  class Meta:
    model = User
    exclude = ['id']
...


If User model was updated with a new role attribute and the associated UserForm was not updated, the role attribute would be exposed in the form.
References
[1] Django Foundation Creating forms from models
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
desc.structural.python.django_bad_practices_attributes_in_deny_list