python: allow alternative middleware

(observed [on LGTM](9d6a7ee180/files/mozillians/settings.py (L96)))
2025-12-23 04:06:37 +01:00 · 2022-03-23 12:27:51 +01:00
parent 6c2449564a
commit 93336bcb16
1 changed files with 6 additions and 1 deletions
--- a/python/ql/lib/semmle/python/frameworks/Django.qll
+++ b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -2340,7 +2340,12 @@ module PrivateDjango {
    }

    override boolean getVerificationSetting() {
-      if list.getAnElt().(StrConst).getText() = "django.middleware.csrf.CsrfViewMiddleware"
+      if
+        list.getAnElt().(StrConst).getText() in [
+            "django.middleware.csrf.CsrfViewMiddleware",
+            // see https://github.com/mozilla/django-session-csrf
+            "session_csrf.CsrfMiddleware"
+          ]
      then result = true
      else result = false
    }