ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4502/python/rule.adoc
Fred Tingaud 51369b610e
Make sure that includes are always surrounded by empty lines (#2270) 
When an include is not surrounded by empty lines, its content is inlined
on the same line as the adjacent content. That can lead to broken tags
and other display issues.
This PR fixes all such includes and introduces a validation step that
forbids introducing the same problem again.
2023-06-22 10:38:01 +02:00

148 lines
3.5 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For a https://docs.djangoproject.com/fr/3.0/ref/csrf/[Django] application, the code is sensitive when,
* ``++django.middleware.csrf.CsrfViewMiddleware++`` is not used in the https://docs.djangoproject.com/en/3.0/topics/settings/[Django settings]:
----
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
] # Sensitive: django.middleware.csrf.CsrfViewMiddleware is missing
----
* the CSRF protection is disabled on a view:
----
@csrf_exempt # Sensitive
def example(request):
return HttpResponse("default")
----
For a https://flask-wtf.readthedocs.io/en/latest/csrf.html[Flask] application, the code is sensitive when,
* the ``++WTF_CSRF_ENABLED++`` setting is set to ``++false++``:
----
app = Flask(__name__)
app.config['WTF_CSRF_ENABLED'] = False # Sensitive
----
* the application doesn't use the ``++CSRFProtect++`` module:
----
app = Flask(__name__) # Sensitive: CSRFProtect is missing
@app.route('/')
def hello_world():
return 'Hello, World!'
----
* the CSRF protection is disabled on a view:
----
app = Flask(__name__)
csrf = CSRFProtect()
csrf.init_app(app)
@app.route('/example/', methods=['POST'])
@csrf.exempt # Sensitive
def example():
return 'example '
----
* the CSRF protection is disabled on a form:
----
class unprotectedForm(FlaskForm):
class Meta:
csrf = False # Sensitive
name = TextField('name')
submit = SubmitField('submit')
----
== Compliant Solution
For a https://docs.djangoproject.com/fr/3.0/ref/csrf/[Django] application,
* it is recommended to protect all the views with ``++django.middleware.csrf.CsrfViewMiddleware++``:
[source,python]
----
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware', # Compliant
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
----
* and to not disable the CSRF protection on specific views:
[source,python]
----
def example(request): # Compliant
return HttpResponse("default")
----
For a https://flask-wtf.readthedocs.io/en/latest/csrf.html[Flask] application,
* the ``++CSRFProtect++`` module should be used (and not disabled further with ``++WTF_CSRF_ENABLED++`` set to ``++false++``):
[source,python]
----
app = Flask(__name__)
csrf = CSRFProtect()
csrf.init_app(app) # Compliant
----
* and it is recommended to not disable the CSRF protection on specific views or forms:
[source,python]
----
@app.route('/example/', methods=['POST']) # Compliant
def example():
return 'example '
class unprotectedForm(FlaskForm):
class Meta:
csrf = True # Compliant
name = TextField('name')
submit = SubmitField('submit')
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink