diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll index 1f4aca0b21a..31fd2a5cf0e 100644 --- a/python/ql/lib/semmle/python/Concepts.qll +++ b/python/ql/lib/semmle/python/Concepts.qll @@ -106,7 +106,7 @@ module FileSystemWriteAccess { } /** - * A data-flow node that may set or unset Cross-site request forgery protection + * A data-flow node that enables or disables Cross-site request forgery protection * in a global manner. * * Extend this class to refine existing API models. If you want to model new APIs, diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll index d623c663442..5e7226a2f3a 100644 --- a/python/ql/lib/semmle/python/frameworks/Django.qll +++ b/python/ql/lib/semmle/python/frameworks/Django.qll @@ -2330,8 +2330,12 @@ module PrivateDjango { mw.asVar().getName() = "MIDDLEWARE" and DataFlow::localFlow(this, mw) | - // it only counts as setting the CSRF protection, if the app uses authentication, - // so check that the list contains the django authentication middleware. + // To only include results where CSRF protection matters, we only care about CSRF + // protection when the django authentication middleware is enabled. + // Since an active session cookie is exactly what would allow an attacker to perform + // a CSRF attack. + // Notice that this does not ensure that this is not a FP, since the authentication + // middleware might be unused. // // This also strongly implies that we are actually looking at the `MIDDLEWARE` setting. list.getAnElt().(StrConst).getText() = diff --git a/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.qhelp b/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.qhelp index 98a5dae20ba..c9a6d4f0f16 100644 --- a/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.qhelp +++ b/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.qhelp @@ -6,7 +6,7 @@

Cross-site request forgery (CSRF) is a type of vulnerability in which an - attacker is able to force a user carry out an action that the user did + attacker is able to force a user to carry out an action that the user did not intend.