Skip to main content

SAST Engine Pack Version 9.7.6 - Python FastAPI Support Enhancements

Python FastAPI Support

SAST Engine Pack Version 9.7.6 adds full FastAPI coverage to the Python query set. Five new helper queries provide the foundation, and they are plugged into existing vulnerability queries so that FastAPI applications are now detected on par with Django and Flask.

New Helper Queries

Find_FastAPI_RoutedMethods

Identifies all functions decorated with FastAPI route decorators (@app.get, @app.post, @app.put, @app.patch, @app.delete, @app.options, @app.head, @app.trace). Works for both FastAPI() and APIRouter() instances. This is the anchor for all other FastAPI helpers — route-scoped input and output detection depends on it.

Find_FastAPI_Inputs

Marks FastAPI route function parameters as taint sources. Covers:

  • Typed route/query/body parameters declared in routed function signatures

  • request.json, request.form, request.body, request.url, request.cookies, request.query_params, request.path_params, request.headers from injected Request objects

False positive reduction built in: parameters typed as int, float, decimal, or bool are excluded from sources (safe by type). Query parameters with numeric constraint validators (ge, gt, le, lt) or a safe regex pattern are also excluded when used with Annotated[...].

Find_FastAPI_Outputs

Marks return values of routed functions as taint sinks. Excludes direct Response object returns (tracked separately) to avoid noise on response wrappers that do not render user data directly.

Find_FastAPI_XSS_Outputs

Specialized XSS sink detection for FastAPI HTML-rendering patterns:

  • Functions with response_class=HTMLResponse using .format() on their return value

  • HTMLResponse(content=...) direct instantiation

  • Response(media_type="text/html") / "application/xml" / "application/html"

  • Jinja2 | safe filter output — data piped through safe in a template is now a tracked XSS sink

Find_FastAPI_Overly_Permissive_CORS

Detects CORSMiddleware configured with allow_origins=["*"] (or any wildcard string) on a FastAPI application instance via app.add_middleware(CORSMiddleware, ...).

Query Coverage Matrix

Queries now active for FastAPI applications. Helper queries (General) carry no severity of their own — they feed the vulnerability queries below.

Helper Queries (New)

Query

Purpose

Find_FastAPI_RoutedMethods

Identifies all @app.get/post/put/patch/delete/... decorated functions for both FastAPI() and APIRouter() instances

Find_FastAPI_Inputs

Taint sources: route/query/body parameters and Request object members (json, form, body, cookies, headers, query_params, path_params)

Find_FastAPI_Outputs

Taint sinks: return values from routed functions (excludes bare Response wrappers)

Find_FastAPI_XSS_Outputs

XSS-specific sinks: HTMLResponse, response_class=HTMLResponse, media_type="text/html/xml", Jinja2 | safe filter

Find_FastAPI_Overly_Permissive_CORS

Detects CORSMiddleware with allow_origins=["*"] on a FastAPI app instance

Vulnerability Queries — Now Active for FastAPI

Query

Severity

CWE

Description

SQL_Injection

Critical

CWE-89

User-controlled data from FastAPI route params flows into raw SQL execution

Second_Order_SQL_Injection

Critical

CWE-89

Stored FastAPI input flows into SQL execution in a later request

Code_Injection

Critical

CWE-94

FastAPI route params flow into exec(), eval(), or compile()

Stored_Code_Injection

Critical

CWE-94

Stored FastAPI input flows into dynamic code execution

Command_Injection

Critical

CWE-77

FastAPI route params flow into os.system, subprocess, or similar shell execution

Stored_Command_Injection

Critical

CWE-77

Stored FastAPI input flows into OS command execution

Stored_XSS

Critical

CWE-79

Stored input flows into an HTMLResponse or Jinja2 | safe output in a FastAPI route

Reflected_XSS

High

CWE-79

FastAPI route params flow directly into HTMLResponse, media_type="text/html", or response_class=HTMLResponse

Path_Traversal

High

CWE-22

FastAPI route params flow into file system operations without canonicalization

SSRF

High

CWE-918

FastAPI route params flow into outbound HTTP requests

LDAP_Injection

High

CWE-90

FastAPI route params flow into LDAP queries

Stored_LDAP_Injection

High

CWE-90

Stored FastAPI input flows into LDAP queries

Deserialization_of_Untrusted_Data

High

CWE-502

FastAPI route params flow into pickle.loads, yaml.load, or similar deserialization

Improper_Restriction_of_XXE_Ref

High

CWE-611

FastAPI route params flow into XML parsers without XXE protection

Local_File_Inclusion

High

CWE-829

FastAPI route params used to include local files

Connection_String_Injection

High

CWE-99

FastAPI route params flow into database connection string construction

Open_Redirect

Medium

CWE-601

FastAPI route params flow into redirect responses

Header_Injection

Medium

CWE-113

FastAPI route params flow into HTTP response headers

Resource_Injection

Medium

CWE-99

FastAPI route params used to reference system resources

Parameter_Tampering

Medium

CWE-472

FastAPI route params alter application behavior through unsafe direct use

XPath_Injection

Medium

CWE-643

FastAPI route params flow into XPath query construction

Privacy_Violation

Medium

CWE-359

Sensitive personal data from FastAPI inputs flows into logs or external outputs

Uncontrolled_Format_String

Medium

CWE-134

FastAPI route params used in uncontrolled %-formatting or f-strings passed to sinks

Command_Argument_Injection

Medium

CWE-88

FastAPI route params injected as arguments into OS commands

Stored_Command_Argument_Injection

Medium

CWE-88

Stored FastAPI input injected as OS command arguments

HttpOnly_Cookie_Flag_Not_Set

Medium

CWE-1004

Response.set_cookie() in FastAPI routed functions called without httponly=True

Secure_Cookie_Flag_Not_Set

Medium

CWE-614

Response.set_cookie() in FastAPI routed functions called without secure=True

Overly_Permissive_CORS

Low

CWE-346

CORSMiddleware added to FastAPI app with allow_origins=["*"]

Log_Forging

Low

CWE-117

FastAPI route params flow into log statements without sanitization

Trust_Boundary_Violation_in_Session_Variables

Low

CWE-501

FastAPI route params stored in session without validation

Impact on Existing Vulnerability Queries

The new helpers are wired into the shared query infrastructure, so existing vulnerability queries automatically gain FastAPI coverage:

Existing Query

What Changed

All taint-flow queries (SQL Injection, Command Injection, Path Traversal, SSRF, Code Injection, XXE, etc.)

Find_Interactive_Inputs() now includes Find_FastAPI_Inputs() — FastAPI route parameters are taint sources for every query that calls Find_Interactive_Inputs(). In v974 they were invisible to all of these queries.

Reflected XSS, Stored XSS

Find_XSS_Outputs() now includes Find_FastAPI_XSS_Outputs()HTMLResponse, response_class=HTMLResponse, and media_type="text/html" patterns are now XSS sinks.

Overly Permissive CORS

Overly_Permissive_Cross_Origin_Resource_Sharing_Policy now calls Find_FastAPI_Overly_Permissive_CORS() alongside the existing Django check. Wildcard allow_origins in FastAPI middleware was not reported in v974.

HttpOnly Cookie Flag Not Set

Query now checks Response.set_cookie(httponly=True) in FastAPI routed functions. Missing or explicitly False httponly flag on FastAPI cookie responses is now reported.

Secure Cookie Flag Not Set

Same as above for the secure parameter — Response.set_cookie(secure=True) is now validated in FastAPI context.

In this section: