# Sensitive Field Exposure in API Response

- ID: python-sensitive-field-response-exposure
- Severity: CRITICAL
- CWE: Information Exposure (CWE-200)
- Languages: Python
- Frameworks: flask, fastapi, django, pyramid, bottle, tornado

## Description

Detects when sensitive data fields (passwords, tokens, secrets) are
exposed through API endpoint responses. This commonly happens when:

1. Returning user dictionaries with sensitive fields
2. Serializing ORM objects without excluding sensitive fields
3. Including sensitive fields in JSON responses

Security Impact:
- Password hash exposure enabling offline cracking attacks
- API key/token leakage allowing account takeover
- Session token exposure enabling session hijacking
- PII disclosure violating privacy regulations (GDPR, CCPA)

## Detection Message

Sensitive field '{source}' flows to API response at {sink}.
This exposes sensitive data (passwords, tokens, secrets) to API consumers.

## Remediation

Use explicit field selection or Pydantic/Marshmallow schemas to exclude sensitive fields.

```python
from flask import jsonify

@app.route('/api/users')
def get_users():
    users = User.query.all()
    return jsonify([{
        'id': u.id,
        'email': u.email,
        'name': u.name
        # password excluded
    } for u in users])
```

Learn more: https://shoulder.dev/learn/python/cwe-200/sensitive-field-response-exposure

## Documentation

[object Object]

## Related Rules

- **Environment Variable Secret Exposure** [HIGH]: 
- **LLM Model Theft** [HIGH]: 
- **LLM Sensitive Information Disclosure** [HIGH]: 
- **Sensitive Field Exposure in API Response** [CRITICAL]: 
- **Environment Variable Secret Exposure** [HIGH]: