security/CSRF protection

Situation actuelle

• Catégorie : Cross-Site Request Forgery (CSRF)
• Review priority : High

SonarQube a remonté l'erreur Make sure disabling CSRF protection is safe here. à la ligne https://glcp.idris.fr/ssi/ssham-server/-/blob/main/ssham/views.py#L3

Protection against CSRF attacks is strongly recommended:

• to be activated by default for all unsafe HTTP methods.
• implemented, for example, with an unguessable CSRF token

Of course all sensitive operations should not be performed with safe HTTP methods like GET which are designed to be used only for information retrieval.

Actions

• Appliquer la mesure corrective préconisée

For a Flask application,

• the CSRFProtect module should be used (and not disabled further with WTF_CSRF_ENABLED set to false):

app = Flask(__name__)
csrf = CSRFProtect()
csrf.init_app(app) # Compliant

• and it is recommended to not disable the CSRF protection on specific views or forms:

@app.route('/example/', methods=['POST']) # Compliant
def example():
    return 'example '

class unprotectedForm(FlaskForm):
    class Meta:
        csrf = True # Compliant

    name = TextField('name')
    submit = SubmitField('submit')