rastray 0.15.0

Blazing-fast static analysis CLI for security, dependency, and performance audits.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

# RSTR-CSRF-001 — Flask WTF_CSRF_ENABLED disabled

## Summary

Flask-WTF's CSRF protection is disabled globally
(`WTF_CSRF_ENABLED = False` or `app.config['WTF_CSRF_ENABLED']
= False`). Every state-changing form in the app is now
vulnerable to cross-site request forgery: an attacker who
gets the victim to visit a page they control can submit a
form to your app using the victim's cookies.

## Severity

`High`.

## Languages

Python.

## How to fix it

Leave the default in place — `WTF_CSRF_ENABLED` defaults to
`True` for a reason. Use `{{ csrf_token() }}` in every form:

```html
<form method="POST" action="/profile">
  {{ csrf_token() }}
  <input name="name" />
  <button type="submit">Save</button>
</form>
```

For AJAX, set the `X-CSRFToken` header from
`{{ csrf_token() }}` injected into a `<meta>` tag.

If a specific webhook handler legitimately can't have CSRF
protection (e.g. Stripe webhook), exempt that one route:

```python
@csrf.exempt
@app.route('/webhook/stripe', methods=['POST'])
def stripe_webhook():
    # verify Stripe signature instead
    ...
```

…not the whole app.

## References

- [Flask-WTF: CSRF protection](https://flask-wtf.readthedocs.io/en/1.2.x/csrf/)
- [CWE-352: Cross-Site Request Forgery](https://cwe.mitre.org/data/definitions/352.html)
- [OWASP CSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Request_Forgery_Prevention_Cheat_Sheet.html)