Flow accepts requests with any method

Severity
Medium
Applies to
Flow
Links
CWE-749

Why This Issue Is Important

Accepting any HTTP method in an API flow can lead to unexpected behavior and security risks. For example, if a flow is intended to handle only GET requests but also accepts POST or DELETE, an attacker could exploit this to manipulate or delete data. This lack of restriction can result in unintentional exposure or modification of resources, making it a potential security vulnerability.

How This Issue Is Detected

CodeSent detecting this issue by analyzing the flow’s condition. If the request.verb variable is not present in the condition, it indicates that the flow can accept requests with any HTTP method. The tool checks the condition for the presence of the request.verb variable and reports an issue if it’s missing.

How to Fix the Issue

Update the flow’s condition to include the specific HTTP methods that should be allowed. For example, if the flow should only accept GET requests, the condition should be updated to:

<Condition>(request.verb == "GET" and proxy.pathsuffix == "/some/path")</Condition>