Use of HTTP Request Method With Sensitive Query Strings
PY007
sensitive_query_strings
CWE-598
⛔️ Error
The inclusion of sensitive information, such as a username, password, or API key, directly within a URL is considered a security risk because URLs can be logged in various places, such as web server logs, browser history, and network monitoring tools, making the sensitive information vulnerable to unauthorized access.
Example
Error
import http.client
host = "example.com"
conn = http.client.HTTPSConnection(host)
conn.request("GET", "/path?apiKey=value&otherParam=123", headers={})
response = conn.getresponse()
Remediation
fix
To avoid this vulnerability, put sensitive information in the request as headers, rather than a parameter of the URL.
import http.client
host = "example.com"
headers = {
"X-FullContact-APIKey": "value"
}
conn = http.client.HTTPSConnection(host)
conn.request("GET", "/path?otherParam=123", headers=headers)
response = conn.getresponse()
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY007) or
rule category name (sensitive_query_strings).
- Using rule ID
- Using category name
fix
import http.client
host = "example.com"
conn = http.client.HTTPSConnection(host)
# suppress: PY007
conn.request("GET", "/path?apiKey=value&otherParam=123", headers={})
response = conn.getresponse()
fix
import http.client
host = "example.com"
conn = http.client.HTTPSConnection(host)
# suppress: sensitive_query_strings
conn.request("GET", "/path?apiKey=value&otherParam=123", headers={})
response = conn.getresponse()