Detection pattern, code examples:
For a Django application, this rule should be triggered when
- the MIDDLEWARE array doesn't have an element with this value: django.middleware.csrf.CsrfViewMiddleware
To be sure we analyze the MIDDLEWARE array of a Django application (the settings of a Django application), this rule should be triggered only if the MIDDLEWARE array has at least one string element with a value starting with django.
- When @csrf_exempt annotation is found
For a Flask application, this rule should be triggered when
- app.config['WTF_CSRF_ENABLED'] is set to False
- the CSRFProtect module is not used on the app, it is the case by default, thus should always raise except when one of these two blocks is found:
Ideally when looking for the existence of one of these two blocks, the analysis should be cross-files, and to overcome but possible limitations of the analyzer (type inference etc...) it might be enough to not raise when csrf.init_app(app) is found (whatever the type of the first argument: it cannot be anything else from an Flask() object) or when CSRFProtect(app) call is found (same thing: whatever the type of app, check that one argument exist when calling CSRFProtect method is enough).
- when @csrf.exempt annotation is found or csrf.exempt(simple_page) method call is found
- when a FlaskForm has disabled the CSRF protection, three cases:
- During the definition of the class:
- During the instantiation (Flask < 0.14):
- During the instantiation (Flask >= 0.14):