hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql

Browse Source 
Explain why `TestScope` is not used.

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
This commit is contained in:
yoff
2022-03-29 13:59:04 +02:00
committed by GitHub
parent d39410aa2d
commit 3416f074e8
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql
View File

@@ -18,6 +18,8 @@ from HTTP::Server::CsrfProtectionSetting s
where
s.getVerificationSetting() = false and
not exists(HTTP::Server::CsrfLocalProtectionSetting p | p.csrfEnabled()) and
// rule out test code as this is a common place to turn off CSRF protection
// rule out test code as this is a common place to turn off CSRF protection.
// We don't use normal `TestScope` to find test files, since we also want to match
// a settings file such as `.../integration-tests/settings.py`
not s.getLocation().getFile().getAbsolutePath().matches("%test%")
select s, "Potential CSRF vulnerability due to forgery protection being disabled or weakened."