Coverage for /Users/davegaeddert/Development/dropseed/plain/plain-sessions/plain/sessions/preflight.py: 45%

40 statements  

« prev     ^ index     » next       coverage.py v7.6.1, created at 2024-10-16 22:04 -0500

1from plain.preflight import Warning, register 

2from plain.runtime import settings 

3 

4 

5def add_session_cookie_message(message): 

6 return message + ( 

7 " Using a secure-only session cookie makes it more difficult for " 

8 "network traffic sniffers to hijack user sessions." 

9 ) 

10 

11 

12W010 = Warning( 

13 add_session_cookie_message( 

14 "You have 'plain.sessions' in your INSTALLED_PACKAGES, " 

15 "but you have not set SESSION_COOKIE_SECURE to True." 

16 ), 

17 id="security.W010", 

18) 

19 

20W011 = Warning( 

21 add_session_cookie_message( 

22 "You have 'plain.sessions.middleware.SessionMiddleware' " 

23 "in your MIDDLEWARE, but you have not set " 

24 "SESSION_COOKIE_SECURE to True." 

25 ), 

26 id="security.W011", 

27) 

28 

29W012 = Warning( 

30 add_session_cookie_message("SESSION_COOKIE_SECURE is not set to True."), 

31 id="security.W012", 

32) 

33 

34 

35def add_httponly_message(message): 

36 return message + ( 

37 " Using an HttpOnly session cookie makes it more difficult for " 

38 "cross-site scripting attacks to hijack user sessions." 

39 ) 

40 

41 

42W013 = Warning( 

43 add_httponly_message( 

44 "You have 'plain.sessions' in your INSTALLED_PACKAGES, " 

45 "but you have not set SESSION_COOKIE_HTTPONLY to True.", 

46 ), 

47 id="security.W013", 

48) 

49 

50W014 = Warning( 

51 add_httponly_message( 

52 "You have 'plain.sessions.middleware.SessionMiddleware' " 

53 "in your MIDDLEWARE, but you have not set " 

54 "SESSION_COOKIE_HTTPONLY to True." 

55 ), 

56 id="security.W014", 

57) 

58 

59W015 = Warning( 

60 add_httponly_message("SESSION_COOKIE_HTTPONLY is not set to True."), 

61 id="security.W015", 

62) 

63 

64 

65@register(deploy=True) 

66def check_session_cookie_secure(package_configs, **kwargs): 

67 if settings.SESSION_COOKIE_SECURE is True: 

68 return [] 

69 errors = [] 

70 if _session_app(): 

71 errors.append(W010) 

72 if _session_middleware(): 

73 errors.append(W011) 

74 if len(errors) > 1: 

75 errors = [W012] 

76 return errors 

77 

78 

79@register(deploy=True) 

80def check_session_cookie_httponly(package_configs, **kwargs): 

81 if settings.SESSION_COOKIE_HTTPONLY is True: 

82 return [] 

83 errors = [] 

84 if _session_app(): 

85 errors.append(W013) 

86 if _session_middleware(): 

87 errors.append(W014) 

88 if len(errors) > 1: 

89 errors = [W015] 

90 return errors 

91 

92 

93def _session_middleware(): 

94 return "plain.sessions.middleware.SessionMiddleware" in settings.MIDDLEWARE 

95 

96 

97def _session_app(): 

98 return "plain.sessions" in settings.INSTALLED_PACKAGES