Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upCodeQL query to find if an Django application is vulnerable to CSRF #70
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE ID(s)
There's no CVE for this.
Report
When a Django project is created, the CSRF middleware is activated by default in the MIDDLEWARE setting, thereby providing CSRF protection to all the views. It is also possible to disable this to make development easier and unless decorators such as
csrf_protect()is used to protect the every single critical views, the application will be vulnerable to Cross-Site Request Forgery (CWE-352).CSRF Protection can be enabled/ Disabled by adding/ removing the
django.middleware.csrf.CsrfViewMiddlewarefrom the MIDDLEWARE variable.This PR adds a CodeQL query with unit tests, which checks if any forms of CSRF prevention mechanism is enabled.
CSRF mechanism tested:
django.middleware.csrf.CsrfViewMiddlewarein MIDDLEWARE variable.CsrfViewMiddlewareclassThe details are present in PR: github/codeql#3296