Flask Input Validation
Introduction
Input validation is a critical security practice in web application development. It involves verifying that the data received by your application meets specific criteria before processing it. In Flask applications, proper input validation helps prevent various attacks like SQL injection, Cross-Site Scripting (XSS), and other injection-based vulnerabilities.
This guide will walk you through implementing robust input validation techniques in your Flask applications. We'll cover both built-in Flask capabilities and third-party libraries that make validation more straightforward and comprehensive.
Why Input Validation Matters
Without proper validation, user inputs can:
- Introduce malicious code into your application
- Cause unexpected application behavior
- Lead to data corruption or loss
- Expose sensitive information
- Create security vulnerabilities
Basic Input Validation in Flask
Form Validation with Flask-WTF
Flask-WTF is an extension that integrates WTForms with Flask. It provides a simple way to define form structures and validation rules.
First, install Flask-WTF:
pip install Flask-WTF
Here's a basic example of form validation:
from flask import Flask, render_template, request, redirect, flash
from flask_wtf import FlaskForm
from wtforms import StringField, PasswordField, SubmitField
from wtforms.validators import DataRequired, Email, Length, EqualTo
app = Flask(__name__)
app.config['SECRET_KEY'] = 'your-secret-key' # Required for CSRF protection
# Define a registration form with validation
class RegistrationForm(FlaskForm):
username = StringField('Username', validators=[
DataRequired(),
Length(min=4, max=20)
])
email = StringField('Email', validators=[
DataRequired(),
Email()
])
password = PasswordField('Password', validators=[
DataRequired(),
Length(min=8)
])
confirm_password = PasswordField('Confirm Password', validators=[
DataRequired(),
EqualTo('password')
])
submit = SubmitField('Sign Up')
@app.route('/register', methods=['GET', 'POST'])
def register():
form = RegistrationForm()
if form.validate_on_submit():
# Process the validated form data
flash(f'Account created for {form.username.data}!', 'success')
return redirect('/')
return render_template('register.html', form=form)
if __name__ == '__main__':
app.run(debug=True)
The corresponding register.html template might look like:
<!DOCTYPE html>
<html>
<head>
<title>Register</title>
</head>
<body>
<h1>Register</h1>
<form method="POST" action="">
{{ form.hidden_tag() }}
<div>
{{ form.username.label }}
{{ form.username }}
{% if form.username.errors %}
<div class="errors">
{% for error in form.username.errors %}
<span>{{ error }}</span>
{% endfor %}
</div>
{% endif %}
</div>
<div>
{{ form.email.label }}
{{ form.email }}
{% if form.email.errors %}
<div class="errors">
{% for error in form.email.errors %}
<span>{{ error }}</span>
{% endfor %}
</div>
{% endif %}
</div>
<div>
{{ form.password.label }}
{{ form.password }}
{% if form.password.errors %}
<div class="errors">
{% for error in form.password.errors %}
<span>{{ error }}</span>
{% endfor %}
</div>
{% endif %}
</div>
<div>
{{ form.confirm_password.label }}
{{ form.confirm_password }}
{% if form.confirm_password.errors %}
<div class="errors">
{% for error in form.confirm_password.errors %}
<span>{{ error }}</span>
{% endfor %}
</div>
{% endif %}
</div>
<div>
{{ form.submit }}
</div>
</form>
</body>
</html>
Common WTForms Validators
WTForms provides several built-in validators:
DataRequired(): Ensures the field is not emptyEmail(): Validates email formatLength(min, max): Checks string lengthNumberRange(min, max): Validates number rangeEqualTo(fieldname): Compares with another field (good for password confirmation)URL(): Validates URL formatRegexp(regex): Validates against a regular expression pattern
API Input Validation
For API endpoints, you might want a more lightweight approach or a solution designed specifically for validating JSON data.
Using Marshmallow for API Validation
Marshmallow is an ORM/ODM/framework-agnostic library for converting complex datatypes, such as objects, to and from native Python datatypes.
pip install marshmallow
Here's an example of validating API inputs with Marshmallow:
from flask import Flask, request, jsonify
from marshmallow import Schema, fields, ValidationError
app = Flask(__name__)
# Define the schema for user data
class UserSchema(Schema):
username = fields.String(required=True, validate=lambda s: 4 <= len(s) <= 20)
email = fields.Email(required=True)
age = fields.Integer(validate=lambda n: 18 <= n <= 120)
@app.route('/api/users', methods=['POST'])
def create_user():
# Get the JSON data
json_data = request.get_json()
if not json_data:
return jsonify({"message": "No input data provided"}), 400
# Validate the data
try:
user_data = UserSchema().load(json_data)
except ValidationError as err:
return jsonify({"message": "Validation errors", "errors": err.messages}), 422
# Process the validated data
# ...
return jsonify({"message": "User created successfully", "user": user_data}), 201
if __name__ == '__main__':
app.run(debug=True)
In this example:
- We define a
UserSchemawith validation rules for each field - When a POST request is made to
/api/users, we validate the JSON data against our schema - If validation fails, we return an error response with details
Advanced Input Validation Techniques
Custom Validators
You can create custom validators when built-in validators don't meet your specific requirements:
from wtforms.validators import ValidationError
# Custom validator for Flask-WTF
def validate_username(form, field):
forbidden_usernames = ['admin', 'administrator', 'root', 'system']
if field.data.lower() in forbidden_usernames:
raise ValidationError('This username is reserved.')
# Using the custom validator
class RegistrationForm(FlaskForm):
username = StringField('Username', validators=[
DataRequired(),
Length(min=4, max=20),
validate_username
])
# Other fields...
Sanitizing Inputs
Validation ensures data meets criteria, but sanitization actually modifies the data to make it safe:
import bleach
@app.route('/comment', methods=['POST'])
def add_comment():
form = CommentForm()
if form.validate_on_submit():
# Sanitize the HTML content to prevent XSS
safe_comment = bleach.clean(
form.comment_body.data,
tags=['p', 'b', 'i', 'u', 'a'],
attributes={'a': ['href']},
strip=True
)
# Now it's safe to store in the database
# ...
return render_template('comments.html', form=form)
Input Validation with Flask-Inputs
Flask-Inputs is a library that allows you to validate request inputs (form data, args, JSON, etc.) based on WTForms validators.
pip install flask-inputs
Example usage:
from flask import Flask, request, jsonify
from flask_inputs import Inputs
from wtforms.validators import DataRequired, Email
app = Flask(__name__)
class UserInputs(Inputs):
json = {
'email': [DataRequired(), Email()],
'name': [DataRequired()]
}
@app.route('/api/user', methods=['POST'])
def create_user():
inputs = UserInputs(request)
if inputs.validate():
# Process validated input
data = request.get_json()
return jsonify({"status": "success", "data": data})
else:
return jsonify({"status": "error", "errors": inputs.errors}), 400
if __name__ == '__main__':
app.run(debug=True)
Real-World Application Example
Let's build a more comprehensive example of a user registration system with robust input validation:
from flask import Flask, render_template, redirect, url_for, flash, request
from flask_wtf import FlaskForm, RecaptchaField
from wtforms import StringField, PasswordField, SubmitField
from wtforms.validators import DataRequired, Email, Length, EqualTo, ValidationError
import re
app = Flask(__name__)
app.config['SECRET_KEY'] = 'your-secret-key'
app.config['RECAPTCHA_PUBLIC_KEY'] = 'your-recaptcha-public-key'
app.config['RECAPTCHA_PRIVATE_KEY'] = 'your-recaptcha-private-key'
# Custom validators
def password_strength(form, field):
password = field.data
# Check for minimum requirements
if len(password) < 8:
raise ValidationError('Password must be at least 8 characters long.')
# Check for complexity
if not re.search(r'[A-Z]', password):
raise ValidationError('Password must contain at least one uppercase letter.')
if not re.search(r'[a-z]', password):
raise ValidationError('Password must contain at least one lowercase letter.')
if not re.search(r'[0-9]', password):
raise ValidationError('Password must contain at least one number.')
if not re.search(r'[^A-Za-z0-9]', password):
raise ValidationError('Password must contain at least one special character.')
def username_check(form, field):
username = field.data
# Ensure no spaces
if ' ' in username:
raise ValidationError('Username cannot contain spaces.')
# Check for valid characters
if not re.match(r'^[a-zA-Z0-9_]+$', username):
raise ValidationError('Username can only contain letters, numbers, and underscores.')
# In a real app, you'd also check if the username already exists in your database
existing_usernames = ['admin', 'user', 'test'] # Example placeholder
if username.lower() in existing_usernames:
raise ValidationError('Username already taken.')
class RegistrationForm(FlaskForm):
username = StringField('Username', validators=[
DataRequired(),
Length(min=4, max=20, message='Username must be between 4 and 20 characters.'),
username_check
])
email = StringField('Email', validators=[
DataRequired(),
Email(message='Please enter a valid email address.')
])
password = PasswordField('Password', validators=[
DataRequired(),
password_strength
])
confirm_password = PasswordField('Confirm Password', validators=[
DataRequired(),
EqualTo('password', message='Passwords must match.')
])
recaptcha = RecaptchaField()
submit = SubmitField('Sign Up')
@app.route('/register', methods=['GET', 'POST'])
def register():
form = RegistrationForm()
if form.validate_on_submit():
# In a real app, you would:
# 1. Hash the password
# 2. Store user in database
# 3. Send verification email
flash('Account created successfully! Please check your email to verify your account.', 'success')
return redirect(url_for('login'))
return render_template('register.html', form=form)
@app.route('/login')
def login():
return "Login page placeholder"
if __name__ == '__main__':
app.run(debug=True)
This example demonstrates:
- Custom validators for complex requirements
- Regular expression validation
- Password strength requirements
- CAPTCHA integration to prevent automated submissions
- User-friendly error messages
Security Considerations for Input Validation
When implementing input validation, keep these best practices in mind:
-
Validate on both client and server sides: Client-side validation provides immediate feedback, but server-side validation is essential for security.
-
Whitelist, don't blacklist: Define what's allowed rather than what's not allowed.
-
Validate format, length, range, and type: Different data requires different validation strategies.
-
Handle validation errors gracefully: Provide helpful feedback without revealing sensitive information.
-
Use CSRF protection: Flask-WTF includes CSRF protection by default.
-
Consider rate limiting: Protect against brute-force attacks by limiting request frequency.
-
Log validation failures: Consistent validation failures may indicate an attack.
-
Sanitize after validating: Even valid input might need sanitization for certain contexts.
Common Input Validation Pitfalls
- Over-reliance on client-side validation: JavaScript validation can be bypassed.
- Insufficient validation: Only checking format but not content.
- Inconsistent validation: Applying different rules in different parts of the application.
- Rejecting valid input: Being too strict with validation can frustrate users.
- Revealing sensitive information in error messages: Error messages should be helpful but not reveal system details.
Summary
Input validation is a fundamental security practice in Flask applications. By properly validating user inputs, you protect your application from various attacks and ensure data integrity. This guide covered:
- Basic form validation with Flask-WTF
- API validation with Marshmallow and Flask-Inputs
- Creating custom validators for complex requirements
- Sanitizing inputs to prevent injection attacks
- Real-world examples and best practices
Remember that input validation is just one layer of your application's security architecture—it should be combined with other security practices like output encoding, proper authentication, and authorization mechanisms.
Additional Resources
- Flask-WTF Documentation
- WTForms Documentation
- Marshmallow Documentation
- OWASP Input Validation Cheat Sheet
- Flask Security Considerations
Exercises
-
Create a Flask form that validates a user profile with fields for name, age, bio, website URL, and profile picture URL.
-
Implement a JSON API endpoint that validates product information (name, price, category, and description) using Marshmallow.
-
Write custom validators to check that:
- A password doesn't contain the username
- A date field is in the future
- An input doesn't contain specific banned words
-
Build a comment submission system that validates and sanitizes HTML content to prevent XSS attacks.
-
Extend the registration example to include email verification and additional profile information.
If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)