SONARPY-3653 Create rule S8389: FastAPI file upload endpoints should use "Form()" with Pydantic validators instead of "Body()" or "Depends()" (#789)

GitOrigin-RevId: 2c2d38fa9d48c7e0e5404598157b7e5d186995d6

Author: Seppli11

.gitignore

@@ -50,3 +50,6 @@ python-frontend/typeshed_serializer/.tox
 .sonar-code-context
 !.sonar-code-context/settings.json
 .cursor/rules/sonar_code_context.mdc
+
+# claude code
+.claude/*.local.*

python-checks/src/main/java/org/sonar/python/checks/FastAPIFileUploadFormCheck.java

@@ -0,0 +1,163 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.List;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Decorator;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.tree.Parameter;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.SubscriptionExpression;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.TypeAnnotation;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatcher;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatchers;
+import org.sonar.python.tree.TreeUtils;
+
+@Rule(key = "S8389")
+public class FastAPIFileUploadFormCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE_BODY_WITH_FILE =
+    "Use \"Form()\" instead of \"Body()\" when handling file uploads; " +
+    "\"Body()\" expects JSON, which is incompatible with multipart/form-data.";
+
+  private static final String MESSAGE_DEPENDS_WITH_FILE =
+    "Use \"Form()\" with Pydantic validators instead of \"Depends()\" for " +
+    "file upload endpoints; query parameters may expose sensitive data in URLs.";
+
+  private static final TypeMatcher IS_FASTAPI_ROUTE = TypeMatchers.any(
+    TypeMatchers.isType("fastapi.routing.APIRouter.post"),
+    TypeMatchers.isType("fastapi.routing.APIRouter.put"),
+    TypeMatchers.isType("fastapi.routing.APIRouter.patch"),
+    TypeMatchers.isType("fastapi.routing.APIRouter.delete"),
+    TypeMatchers.isType("fastapi.applications.FastAPI.post"),
+    TypeMatchers.isType("fastapi.applications.FastAPI.put"),
+    TypeMatchers.isType("fastapi.applications.FastAPI.patch"),
+    TypeMatchers.isType("fastapi.applications.FastAPI.delete")
+  );
+
+  private static final TypeMatcher IS_FILE_PARAM = TypeMatchers.isType("fastapi.param_functions.File");
+  private static final TypeMatcher IS_BODY_PARAM = TypeMatchers.isType("fastapi.param_functions.Body");
+  private static final TypeMatcher IS_DEPENDS_PARAM = TypeMatchers.isType("fastapi.param_functions.Depends");
+
+  private static final TypeMatcher IS_UPLOAD_FILE = TypeMatchers.any(
+    TypeMatchers.isOrExtendsType("fastapi.datastructures.UploadFile"),
+    TypeMatchers.isOrExtendsType("starlette.datastructures.UploadFile")
+  );
+
+  private static final TypeMatcher IS_PYDANTIC_MODEL = TypeMatchers.isOrExtendsType("pydantic.BaseModel");
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FUNCDEF, FastAPIFileUploadFormCheck::checkFunctionDef);
+  }
+
+  private static void checkFunctionDef(SubscriptionContext ctx) {
+    FunctionDef functionDef = (FunctionDef) ctx.syntaxNode();
+
+    if (!hasFastAPIRouteDecorator(functionDef, ctx)) {
+      return;
+    }
+
+    List<Parameter> parameters = functionDef.parameters().nonTuple();
+
+    boolean hasFileParameter = parameters.stream()
+      .anyMatch(param -> hasFileParam(param, ctx));
+
+    if (!hasFileParameter) {
+      return;
+    }
+
+    parameters.stream()
+      .filter(param -> hasBodyParam(param, ctx))
+      .forEach(param -> ctx.addIssue(param, MESSAGE_BODY_WITH_FILE));
+
+    parameters.stream()
+      .filter(param -> hasDependsWithPydanticModel(param, ctx))
+      .forEach(param -> ctx.addIssue(param, MESSAGE_DEPENDS_WITH_FILE));
+  }
+
+  private static boolean hasFastAPIRouteDecorator(FunctionDef functionDef, SubscriptionContext ctx) {
+    return functionDef.decorators().stream()
+      .map(Decorator::expression)
+      .flatMap(TreeUtils.toStreamInstanceOfMapper(CallExpression.class))
+      .anyMatch(callExpr -> IS_FASTAPI_ROUTE.isTrueFor(callExpr.callee(), ctx));
+  }
+
+  private static boolean hasFileParam(Parameter param, SubscriptionContext ctx) {
+    Expression defaultValue = param.defaultValue();
+    if (defaultValue instanceof CallExpression callExpr && IS_FILE_PARAM.isTrueFor(callExpr.callee(), ctx)) {
+      return true;
+    }
+
+    TypeAnnotation annotation = param.typeAnnotation();
+    if (annotation != null) {
+      Expression annotationExpr = annotation.expression();
+
+      if (IS_UPLOAD_FILE.isTrueFor(annotationExpr, ctx)) {
+        return true;
+      }
+
+      if (annotationExpr instanceof SubscriptionExpression subscriptionExpr) {
+        return subscriptionExpr.subscripts().expressions().stream()
+          .anyMatch(expr -> IS_UPLOAD_FILE.isTrueFor(expr, ctx));
+      }
+    }
+
+    return false;
+  }
+
+  private static boolean hasBodyParam(Parameter param, SubscriptionContext ctx) {
+    Expression defaultValue = param.defaultValue();
+    if (defaultValue instanceof CallExpression callExpr) {
+      return IS_BODY_PARAM.isTrueFor(callExpr.callee(), ctx);
+    }
+    return false;
+  }
+
+  private static boolean hasDependsWithPydanticModel(Parameter param, SubscriptionContext ctx) {
+    Expression defaultValue = param.defaultValue();
+    if (!(defaultValue instanceof CallExpression dependsCall)) {
+      return false;
+    }
+
+    if (!IS_DEPENDS_PARAM.isTrueFor(dependsCall.callee(), ctx)) {
+      return false;
+    }
+
+    if (!dependsCall.arguments().isEmpty()) {
+      var firstArg = dependsCall.arguments().get(0);
+      if (firstArg instanceof RegularArgument regularArg) {
+        Expression argExpr = regularArg.expression();
+        return IS_PYDANTIC_MODEL.isTrueFor(argExpr, ctx);
+      }
+    }
+
+    TypeAnnotation annotation = param.typeAnnotation();
+    if (annotation != null) {
+      Expression annotationExpr = annotation.expression();
+      return IS_PYDANTIC_MODEL.isTrueFor(annotationExpr, ctx);
+    }
+
+    return false;
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -219,6 +219,7 @@ public Stream<Class<?>> getChecks() {
       ExitHasBadArgumentsCheck.class,
       ExpandingArchiveCheck.class,
       FastAPIBindToAllNetworkInterfacesCheck.class,
+      FastAPIFileUploadFormCheck.class,
       FastHashingOrPlainTextCheck.class,
       FieldDuplicatesClassNameCheck.class,
       FieldNameCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8389.html

@@ -0,0 +1,183 @@
+<p>This is an issue when a FastAPI endpoint accepts file uploads (using <code>File()</code>) and also receives structured data through
+<code>Body()</code> parameters or query parameters (via <code>Depends()</code> without proper form handling). This pattern causes either validation
+errors at runtime or exposes sensitive information in URLs and logs.</p>
+<h2>Why is this an issue?</h2>
+<p>When building web APIs with FastAPI, developers often need to create endpoints that accept both file uploads and structured data. However, the way
+this data is transmitted requires careful consideration due to HTTP protocol constraints and security implications.</p>
+<h2>Understanding HTTP Content Types</h2>
+<p>HTTP requests can encode data in different ways, specified by the <code>Content-Type</code> header:</p>
+<ul>
+  <li> <code>application/json</code> - Used for JSON data in the request body </li>
+  <li> <code>multipart/form-data</code> - Required for file uploads, encodes both files and form fields </li>
+  <li> Query parameters - Appended to the URL after a <code>?</code> character </li>
+</ul>
+<p>When a FastAPI endpoint includes <code>File()</code> parameters, the client must send the request using <code>multipart/form-data</code> encoding.
+This creates a fundamental incompatibility: you cannot mix <code>Body()</code> parameters (which expect <code>application/json</code>) with
+<code>File()</code> parameters in the same endpoint.</p>
+<h2>The Technical Problem</h2>
+<p>If you declare both <code>Body()</code> and <code>File()</code> parameters in the same endpoint, FastAPI cannot properly parse the request. The
+framework expects JSON in the body when it sees <code>Body()</code> parameters, but receives form-encoded data instead when files are included. This
+results in validation errors like "value is not a valid dict" or similar type mismatches.</p>
+<h2>The Security Problem</h2>
+<p>Some developers work around the technical constraint by passing structured data through query parameters using <code>Depends()</code> with a
+Pydantic model. While this avoids the encoding conflict, it creates a serious security vulnerability.</p>
+<p>Query parameters appear in the URL itself, which means they are:</p>
+<ul>
+  <li> Visible in browser address bars </li>
+  <li> Stored in browser history </li>
+  <li> Logged in web server access logs </li>
+  <li> Potentially cached by proxies and CDNs </li>
+  <li> Visible in network monitoring tools </li>
+</ul>
+<p>If the structured data contains sensitive information (user credentials, personal data, tokens, etc.), this exposure creates a significant security
+risk. An attacker with access to server logs, browser history, or network traffic can extract this sensitive information.</p>
+<h2>Why Form Data is the Solution</h2>
+<p>Form data transmitted via <code>multipart/form-data</code> encoding:</p>
+<ul>
+  <li> Is compatible with file uploads </li>
+  <li> Is sent in the request body, not the URL </li>
+  <li> Does not appear in server logs (only the URL path is logged) </li>
+  <li> Can be properly validated and parsed by FastAPI </li>
+</ul>
+<p>The challenge is that form data is transmitted as strings, not as structured JSON objects. This is where Pydantic’s custom validators become
+essential - they allow you to parse JSON strings from form fields while maintaining type safety and validation.</p>
+<h3>What is the potential impact?</h3>
+<h3>Exposure of Sensitive Data</h3>
+<p>When structured data containing sensitive information is passed through query parameters, it becomes visible in multiple locations:</p>
+<ul>
+  <li> Server access logs permanently record the full URL including all query parameters </li>
+  <li> Browser history stores the complete URL, accessible to anyone with access to the device </li>
+  <li> Network intermediaries (proxies, load balancers) may log or cache the URLs </li>
+  <li> Referrer headers may leak the URL to third-party sites </li>
+</ul>
+<p>This exposure can lead to unauthorized access to user accounts, personal information disclosure, or compliance violations (GDPR, HIPAA,
+PCI-DSS).</p>
+<h3>Application Failures</h3>
+<p>When <code>Body()</code> and <code>File()</code> parameters are mixed incorrectly, the application will fail at runtime with validation errors.
+Users will be unable to complete file upload operations, resulting in:</p>
+<ul>
+  <li> Poor user experience </li>
+  <li> Failed business processes </li>
+  <li> Support burden from confused users </li>
+  <li> Potential data loss if users abandon the operation </li>
+</ul>
+<h2>How to fix it in FastAPI</h2>
+<p>Replace <code>Body()</code> parameters with <code>Form()</code> parameters and add a Pydantic validator to parse JSON strings. This ensures
+compatibility with file uploads while maintaining type safety.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+@router.post("/upload")
+async def create_policy(
+    countryId: str = Body(...),  # Noncompliant
+    policyDetails: List[dict] = Body(...),  # Noncompliant
+    files: List[UploadFile] = File(...)
+):
+    return {"status": "ok"}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+class PolicyData(BaseModel):
+    countryId: str
+    policyDetails: List[dict]
+
+    @model_validator(mode='before')
+    @classmethod
+    def validate_to_json(cls, value):
+        if isinstance(value, str):
+            return cls(**json.loads(value))
+        return value
+
+@router.post("/upload")
+async def create_policy(
+    data: PolicyData = Form(...),
+    files: List[UploadFile] = File(...)
+):
+    return {"status": "ok"}
+</pre>
+<p>Replace <code>Depends()</code> with <code>Form()</code> when passing structured data alongside file uploads. Use a custom validator to parse the
+JSON string from the form field.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+@app.post("/submit")
+def submit(
+    base: Base = Depends(),  # Noncompliant - data exposed in query parameters
+    files: List[UploadFile] = File(...)
+):
+    return {"JSON Payload": base, "Filenames": [file.filename for file in files]}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+class Base(BaseModel):
+    countryId: str
+    sensitiveData: str
+
+    @model_validator(mode='before')
+    @classmethod
+    def validate_to_json(cls, value):
+        if isinstance(value, str):
+            return cls(**json.loads(value))
+        return value
+
+@app.post("/submit")
+def submit(
+    base: Base = Form(...),
+    files: List[UploadFile] = File(...)
+):
+    return {"JSON Payload": base, "Filenames": [file.filename for file in files]}
+</pre>
+<p>If you need to accept complex nested structures, create a dependency function that reads from <code>Form()</code> and performs validation with
+proper error handling.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="3" data-diff-type="noncompliant">
+@app.post("/data")
+async def upload_data(
+    config: DataConfiguration = Depends(),  # Noncompliant
+    csvFile: UploadFile = File(...)
+):
+    pass
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="3" data-diff-type="compliant">
+from fastapi import HTTPException, status
+from fastapi.encoders import jsonable_encoder
+from pydantic import ValidationError
+
+def parse_config(data: str = Form(...)) -&gt; DataConfiguration:
+    try:
+        return DataConfiguration.model_validate_json(data)
+    except ValidationError as e:
+        raise HTTPException(
+            detail=jsonable_encoder(e.errors()),
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+        )
+
+@app.post("/data")
+async def upload_data(
+    config: DataConfiguration = Depends(parse_config),
+    csvFile: UploadFile = File(...)
+):
+    pass
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> FastAPI - Request Forms and Files - <a href="https://fastapi.tiangolo.com/tutorial/request-forms-and-files/">Official FastAPI documentation on
+  handling forms and files together</a> </li>
+  <li> FastAPI - Request Body - <a href="https://fastapi.tiangolo.com/tutorial/body/">Official documentation explaining Body parameters and JSON
+  encoding</a> </li>
+  <li> Pydantic - Validators - <a href="https://docs.pydantic.dev/latest/concepts/validators/">Documentation on Pydantic validators for custom data
+  parsing</a> </li>
+  <li> OWASP - Logging Cheat Sheet - <a href="https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html">Guidelines on what data should
+  not be logged, including query parameters with sensitive data</a> </li>
+</ul>
+<h3>Standards</h3>
+<ul>
+  <li> OWASP Top 10 2021 A01 - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Broken Access Control - exposing sensitive data in
+  URLs can lead to unauthorized access</a> </li>
+  <li> OWASP Top 10 2021 A09 - <a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/">Security Logging and Monitoring
+  Failures - sensitive data in logs creates security risks</a> </li>
+  <li> CWE 359 - <a href="https://cwe.mitre.org/data/definitions/359.html">Exposure of Private Personal Information to an Unauthorized Actor</a> </li>
+  <li> CWE 598 - <a href="https://cwe.mitre.org/data/definitions/598.html">Use of GET Request Method With Sensitive Query Strings</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8389.json

@@ -0,0 +1,28 @@
+{
+  "title": "FastAPI file upload endpoints should use \"Form()\" with Pydantic validators instead of \"Body()\" or \"Depends()\"",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "10 min"
+  },
+  "tags": [
+    "fastapi",
+    "security",
+    "file-upload",
+    "pydantic"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-8389",
+  "sqKey": "S8389",
+  "scope": "Main",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "BLOCKER",
+      "RELIABILITY": "BLOCKER",
+      "MAINTAINABILITY": "HIGH"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -309,6 +309,7 @@
     "S7945",
     "S8375",
     "S8392",
+    "S8389",
     "S8396"
   ]
 }