security/CSRF protection

Situation actuelle

Catégorie : Cross-Site Request Forgery (CSRF)
Review priority : High

SonarQube a remonté l'erreur Make sure disabling CSRF protection is safe here. à la ligne https://glcp.idris.fr/ssi/ssham-server/-/blob/main/ssham/views.py#L3

Protection against CSRF attacks is strongly recommended:

to be activated by default for all unsafe HTTP methods.
implemented, for example, with an unguessable CSRF token

Of course all sensitive operations should not be performed with safe HTTP methods like GET which are designed to be used only for information retrieval.

Actions

Appliquer la mesure corrective préconisée

For a Flask application,

the CSRFProtect module should be used (and not disabled further with WTF_CSRF_ENABLED set to false):

app = Flask(__name__)
csrf = CSRFProtect()
csrf.init_app(app) # Compliant

and it is recommended to not disable the CSRF protection on specific views or forms:

@app.route('/example/', methods=['POST']) # Compliant
def example():
    return 'example '

class unprotectedForm(FlaskForm):
    class Meta:
        csrf = True # Compliant

    name = TextField('name')
    submit = SubmitField('submit')

Edited Mar 08, 2022 by HARRY Guillaume

Admin message

security/CSRF protection

Situation actuelle

Actions