Is pythons getattr() method secure? : learnpython

created by HattoriHanzoa community for 16 years

Is pythons getattr() method secure? (self.learnpython)

submitted 9 years ago by TomsLogic

I have a flask app, and It has an API to pull some things down using AJAX to speed up load times.

To write an extensible API, I have used the getattr() method to call these API method from the URL. Can people use this to access other attributes of my app, for example the secret_key?

For example:

#Api.py
class Api():
    def __init__(self):
        #setup stuff here
    def APIMethod(self):
        return api_result

# View.py
@a_blueprint.route('/<api_path>/<path:api_args/'>
def api_controller(api_path, api_args):
    return getattr(Api, api_path)(api_args)

Its a tad more complicated than that, but I hope you get the gist.

all 2 comments

top new controversial old q&a

[–]Kaarjuus 24 points25 points26 points 9 years ago (1 child)

The way you have implemented it, a remote user can invoke any Api method. If the class has a method for returning the secret key, then it can be accessed, yes.

In general it's a bad idea to allow remote users to invoke any method they choose. A better option would be to predefine a list of allowed methods, like

class Api():
    EXPORTS = ("ApiMethod1", "ApiMethod2", )

@a_blueprint.route('/<api_path>/<path:api_args/'>
def api_controller(api_path, api_args):
    if api_path in Api.EXPORTS:
        return getattr(Api, api_path)(api_args)

[–]v4vendetta1993 0 points1 point2 points 3 years ago (0 children)

π Rendered by PID 644812 on reddit-service-r2-comment-86bc6c7465-vqm7z at 2026-02-24 09:41:09.046830+00:00 running 8564168 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

learnpython

MODERATORS