python.django.security.audit.csrf-exempt.no-csrf-exempt

Community Favorite
profile photo of semgrepsemgrep
Author
81,952
Download Count*
LGPL Commons Clause
License

Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user's account and exfiltration of private data. Instead, create a function without this decorator.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: no-csrf-exempt
    pattern: |
      @django.views.decorators.csrf.csrf_exempt
      def $R(...):
        ...
    message: Detected usage of @csrf_exempt, which indicates that there is no CSRF
      token set for this route. This could lead to an attacker manipulating the
      user's account and exfiltration of private data. Instead, create a
      function without this decorator.
    metadata:
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      owasp:
        - A01:2021 - Broken Access Control
      category: security
      technology:
        - django
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)
    languages:
      - python
    severity: WARNING

Examples

csrf-exempt.py

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt

# ruleid: no-csrf-exempt
@csrf_exempt
def my_view(request):
    return HttpResponse('Hello world')

import django

# ruleid: no-csrf-exempt
@django.views.decorators.csrf.csrf_exempt
def my_view2(request):
    return HttpResponse('Hello world')