fastapi
fastapi copied to clipboard
tiangolo
Create a middleware to sanitize the request body
First Check
- [X] I added a very descriptive title to this issue.
- [X] I used the GitHub search to find a similar issue and didn't find it.
- [X] I searched the FastAPI documentation, with the integrated search.
- [X] I already searched in Google "How to X in FastAPI" and didn't find any information.
- [X] I already read and followed all the tutorial in the docs and didn't find an answer.
- [X] I already checked if it is not related to FastAPI but to Pydantic.
- [X] I already checked if it is not related to FastAPI but to Swagger UI.
- [X] I already checked if it is not related to FastAPI but to ReDoc.
Commit to Help
- [X] I commit to help with one of those options 👆
Example Code
from starlette.middleware.base import BaseHTTPMiddleware
from starlette.types import Message
from fastapi import Request
import bleach
import json
class SanitizeMiddleware(BaseHTTPMiddleware):
def __init__(self, app):
super().__init__(app)
@staticmethod
def __sanitize_array(array_values):
for index, value in enumerate(array_values):
if isinstance(value, dict):
array_values[index] = {key: bleach.clean(
value) for key, value in value.items()}
else:
array_values[index] = bleach.clean(value)
return array_values
async def set_body(self, request: Request):
receive_ = await request._receive()
async def receive() -> Message:
return receive_
request._receive = receive
async def dispatch(self, request: Request, call_next):
await self.set_body(request)
if request.method == 'POST' or request.method == 'PUT':
json_body = await request.json()
sanitize_body = {key: self.__sanitize_array(value) if isinstance(
value, list) else bleach.clean(value) for key, value in json_body.items()}
request._body = json.dumps(
sanitize_body, indent=2).encode('utf-8')
await self.set_body(request)
response = await call_next(request)
return response
Description
Hello guys, I'm facing an issue while trying to sanitize the request body from POST and PUT methods. The idea is to sanitize the request.body() before it even reachs the view. For instance, I would like to pass bleach on it to avoid security issues that might appear under the body that is sent. I've built a middleware that inherit from BaseHTTPMiddleware, to sanetize the body, but I've notived that I'm not changing the original request element:
Operating System
Linux
Operating System Details
No response
FastAPI Version
0.73.0
Python Version
3.8.10
Additional Context
No response
You never return your request from set_body. Try this:
class SanitizeMiddleware(BaseHTTPMiddleware):
def __init__(self, app):
super().__init__(app)
@staticmethod
def __sanitize_array(array_values):
for index, value in enumerate(array_values):
if isinstance(value, dict):
array_values[index] = {key: bleach.clean(
value) for key, value in value.items()}
else:
array_values[index] = bleach.clean(value)
return array_values
async def set_body(self, request: Request):
receive_ = await request._receive()
async def receive() -> Message:
return receive_
request._receive = receive
return request
async def dispatch(self, request: Request, call_next):
await self.set_body(request)
if request.method == 'POST' or request.method == 'PUT':
json_body = await request.json()
sanitize_body = {key: self.__sanitize_array(value) if isinstance(
value, list) else bleach.clean(value) for key, value in json_body.items()}
request._body = json.dumps(
sanitize_body, indent=2).encode('utf-8')
request = await self.set_body(request)
response = await call_next(request)
return response
You never return your request from
set_body. Try this:class SanitizeMiddleware(BaseHTTPMiddleware): def __init__(self, app): super().__init__(app) @staticmethod def __sanitize_array(array_values): for index, value in enumerate(array_values): if isinstance(value, dict): array_values[index] = {key: bleach.clean( value) for key, value in value.items()} else: array_values[index] = bleach.clean(value) return array_values async def set_body(self, request: Request): receive_ = await request._receive() async def receive() -> Message: return receive_ request._receive = receive return request async def dispatch(self, request: Request, call_next): await self.set_body(request) if request.method == 'POST' or request.method == 'PUT': json_body = await request.json() sanitize_body = {key: self.__sanitize_array(value) if isinstance( value, list) else bleach.clean(value) for key, value in json_body.items()} request._body = json.dumps( sanitize_body, indent=2).encode('utf-8') request = await self.set_body(request) response = await call_next(request) return response
I tested it here and it continues with the same previous request
Hmm I did not expect that.. 🤔 I am tinkering around with this and I notice that there is a custom request being send to the next ASGI app, but the body is unsanitized. If I include a custom key in the request.scope, then that key (and value) is available in my endpoint.
Somewhere, Starlette (or FastAPI but I am thinking Starlette) is unsanitizing the body. Which is very weird!
I think that maybe the request element isn't the same at all, I've noticed that the id for both are different, not sure if that tells much but I'm assuming that they might be addressing to different elements in the memory, but is pure speculation at this point.
@MarcelFox You are right for this
I've noticed that the id for both are different
In BaseHTTPMiddleware, It will be new a request instance pass to next middleware or route endpoint
At this point, we only need the same request instance, so @casluxd you can do this two ways:
- pass request to scope:
scope["request"]=sanitized_reqeust - use contextvars:
sanitized_request_context=contextvars.Contexvars("request"), sanitized_request_context.set(sanitized_reqeust)
So you can get middlerware request in your route endpoint
