hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

python: rule out test code for CSRF

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2022-03-22 14:57:05 +01:00
parent 0f2c21c8bd
commit 53de8287f5
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql
View File

@@ -17,5 +17,7 @@ import semmle.python.Concepts
from CSRFProtectionSetting s from CSRFProtectionSetting s
where where
s.getVerificationSetting() = false and s.getVerificationSetting() = false and
not exists(CSRFProtection p) not exists(CSRFProtection p) and
// rule out test code as this is a common place to turn off CSRF protection
not s.getLocation().getFile().getAbsolutePath().matches("%test%")
select s, "Potential CSRF vulnerability due to forgery protection being disabled or weakened." select s, "Potential CSRF vulnerability due to forgery protection being disabled or weakened."