Coverage for /Users/davegaeddert/Development/dropseed/plain/plain/plain/preflight/security/csrf.py: 64%

14 statements  

« prev     ^ index     » next       coverage.py v7.6.1, created at 2024-10-16 22:06 -0500

1from plain.runtime import settings 

2 

3from .. import Warning, register 

4 

5W003 = Warning( 

6 "You don't appear to be using Plain's built-in " 

7 "cross-site request forgery protection via the middleware " 

8 "('plain.csrf.middleware.CsrfViewMiddleware' is not in your " 

9 "MIDDLEWARE). Enabling the middleware is the safest approach " 

10 "to ensure you don't leave any holes.", 

11 id="security.W003", 

12) 

13 

14W016 = Warning( 

15 "You have 'plain.csrf.middleware.CsrfViewMiddleware' in your " 

16 "MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. " 

17 "Using a secure-only CSRF cookie makes it more difficult for network " 

18 "traffic sniffers to steal the CSRF token.", 

19 id="security.W016", 

20) 

21 

22 

23def _csrf_middleware(): 

24 return "plain.csrf.middleware.CsrfViewMiddleware" in settings.MIDDLEWARE 

25 

26 

27@register(deploy=True) 

28def check_csrf_middleware(package_configs, **kwargs): 

29 passed_check = _csrf_middleware() 

30 return [] if passed_check else [W003] 

31 

32 

33@register(deploy=True) 

34def check_csrf_cookie_secure(package_configs, **kwargs): 

35 passed_check = not _csrf_middleware() or settings.CSRF_COOKIE_SECURE is True 

36 return [] if passed_check else [W016]