Coverage for /var/srv/projects/api.amasfac.comuna18.com/tmp/venv/lib/python3.9/site-packages/django/core/checks/security/base.py: 50%

89 statements  

« prev     ^ index     » next       coverage.py v6.4.4, created at 2023-07-17 14:22 -0600

1from django.conf import settings 

2from django.core.exceptions import ImproperlyConfigured 

3 

4from .. import Error, Tags, Warning, register 

5 

6CROSS_ORIGIN_OPENER_POLICY_VALUES = { 

7 "same-origin", 

8 "same-origin-allow-popups", 

9 "unsafe-none", 

10} 

11REFERRER_POLICY_VALUES = { 

12 "no-referrer", 

13 "no-referrer-when-downgrade", 

14 "origin", 

15 "origin-when-cross-origin", 

16 "same-origin", 

17 "strict-origin", 

18 "strict-origin-when-cross-origin", 

19 "unsafe-url", 

20} 

21 

22SECRET_KEY_INSECURE_PREFIX = "django-insecure-" 

23SECRET_KEY_MIN_LENGTH = 50 

24SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5 

25 

26W001 = Warning( 

27 "You do not have 'django.middleware.security.SecurityMiddleware' " 

28 "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, " 

29 "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, " 

30 "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will " 

31 "have no effect.", 

32 id="security.W001", 

33) 

34 

35W002 = Warning( 

36 "You do not have " 

37 "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your " 

38 "MIDDLEWARE, so your pages will not be served with an " 

39 "'x-frame-options' header. Unless there is a good reason for your " 

40 "site to be served in a frame, you should consider enabling this " 

41 "header to help prevent clickjacking attacks.", 

42 id="security.W002", 

43) 

44 

45W004 = Warning( 

46 "You have not set a value for the SECURE_HSTS_SECONDS setting. " 

47 "If your entire site is served only over SSL, you may want to consider " 

48 "setting a value and enabling HTTP Strict Transport Security. " 

49 "Be sure to read the documentation first; enabling HSTS carelessly " 

50 "can cause serious, irreversible problems.", 

51 id="security.W004", 

52) 

53 

54W005 = Warning( 

55 "You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. " 

56 "Without this, your site is potentially vulnerable to attack " 

57 "via an insecure connection to a subdomain. Only set this to True if " 

58 "you are certain that all subdomains of your domain should be served " 

59 "exclusively via SSL.", 

60 id="security.W005", 

61) 

62 

63W006 = Warning( 

64 "Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, " 

65 "so your pages will not be served with an " 

66 "'X-Content-Type-Options: nosniff' header. " 

67 "You should consider enabling this header to prevent the " 

68 "browser from identifying content types incorrectly.", 

69 id="security.W006", 

70) 

71 

72W008 = Warning( 

73 "Your SECURE_SSL_REDIRECT setting is not set to True. " 

74 "Unless your site should be available over both SSL and non-SSL " 

75 "connections, you may want to either set this setting True " 

76 "or configure a load balancer or reverse-proxy server " 

77 "to redirect all connections to HTTPS.", 

78 id="security.W008", 

79) 

80 

81W009 = Warning( 

82 "Your SECRET_KEY has less than %(min_length)s characters, less than " 

83 "%(min_unique_chars)s unique characters, or it's prefixed with " 

84 "'%(insecure_prefix)s' indicating that it was generated automatically by " 

85 "Django. Please generate a long and random SECRET_KEY, otherwise many of " 

86 "Django's security-critical features will be vulnerable to attack." 

87 % { 

88 "min_length": SECRET_KEY_MIN_LENGTH, 

89 "min_unique_chars": SECRET_KEY_MIN_UNIQUE_CHARACTERS, 

90 "insecure_prefix": SECRET_KEY_INSECURE_PREFIX, 

91 }, 

92 id="security.W009", 

93) 

94 

95W018 = Warning( 

96 "You should not have DEBUG set to True in deployment.", 

97 id="security.W018", 

98) 

99 

100W019 = Warning( 

101 "You have " 

102 "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your " 

103 "MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. " 

104 "Unless there is a good reason for your site to serve other parts of " 

105 "itself in a frame, you should change it to 'DENY'.", 

106 id="security.W019", 

107) 

108 

109W020 = Warning( 

110 "ALLOWED_HOSTS must not be empty in deployment.", 

111 id="security.W020", 

112) 

113 

114W021 = Warning( 

115 "You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, " 

116 "your site cannot be submitted to the browser preload list.", 

117 id="security.W021", 

118) 

119 

120W022 = Warning( 

121 "You have not set the SECURE_REFERRER_POLICY setting. Without this, your " 

122 "site will not send a Referrer-Policy header. You should consider " 

123 "enabling this header to protect user privacy.", 

124 id="security.W022", 

125) 

126 

127E023 = Error( 

128 "You have set the SECURE_REFERRER_POLICY setting to an invalid value.", 

129 hint="Valid values are: {}.".format(", ".join(sorted(REFERRER_POLICY_VALUES))), 

130 id="security.E023", 

131) 

132 

133E024 = Error( 

134 "You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid " 

135 "value.", 

136 hint="Valid values are: {}.".format( 

137 ", ".join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES)), 

138 ), 

139 id="security.E024", 

140) 

141 

142 

143def _security_middleware(): 

144 return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE 

145 

146 

147def _xframe_middleware(): 

148 return ( 

149 "django.middleware.clickjacking.XFrameOptionsMiddleware" in settings.MIDDLEWARE 

150 ) 

151 

152 

153@register(Tags.security, deploy=True) 

154def check_security_middleware(app_configs, **kwargs): 

155 passed_check = _security_middleware() 

156 return [] if passed_check else [W001] 

157 

158 

159@register(Tags.security, deploy=True) 

160def check_xframe_options_middleware(app_configs, **kwargs): 

161 passed_check = _xframe_middleware() 

162 return [] if passed_check else [W002] 

163 

164 

165@register(Tags.security, deploy=True) 

166def check_sts(app_configs, **kwargs): 

167 passed_check = not _security_middleware() or settings.SECURE_HSTS_SECONDS 

168 return [] if passed_check else [W004] 

169 

170 

171@register(Tags.security, deploy=True) 

172def check_sts_include_subdomains(app_configs, **kwargs): 

173 passed_check = ( 

174 not _security_middleware() 

175 or not settings.SECURE_HSTS_SECONDS 

176 or settings.SECURE_HSTS_INCLUDE_SUBDOMAINS is True 

177 ) 

178 return [] if passed_check else [W005] 

179 

180 

181@register(Tags.security, deploy=True) 

182def check_sts_preload(app_configs, **kwargs): 

183 passed_check = ( 

184 not _security_middleware() 

185 or not settings.SECURE_HSTS_SECONDS 

186 or settings.SECURE_HSTS_PRELOAD is True 

187 ) 

188 return [] if passed_check else [W021] 

189 

190 

191@register(Tags.security, deploy=True) 

192def check_content_type_nosniff(app_configs, **kwargs): 

193 passed_check = ( 

194 not _security_middleware() or settings.SECURE_CONTENT_TYPE_NOSNIFF is True 

195 ) 

196 return [] if passed_check else [W006] 

197 

198 

199@register(Tags.security, deploy=True) 

200def check_ssl_redirect(app_configs, **kwargs): 

201 passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True 

202 return [] if passed_check else [W008] 

203 

204 

205@register(Tags.security, deploy=True) 

206def check_secret_key(app_configs, **kwargs): 

207 try: 

208 secret_key = settings.SECRET_KEY 

209 except (ImproperlyConfigured, AttributeError): 

210 passed_check = False 

211 else: 

212 passed_check = ( 

213 len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS 

214 and len(secret_key) >= SECRET_KEY_MIN_LENGTH 

215 and not secret_key.startswith(SECRET_KEY_INSECURE_PREFIX) 

216 ) 

217 return [] if passed_check else [W009] 

218 

219 

220@register(Tags.security, deploy=True) 

221def check_debug(app_configs, **kwargs): 

222 passed_check = not settings.DEBUG 

223 return [] if passed_check else [W018] 

224 

225 

226@register(Tags.security, deploy=True) 

227def check_xframe_deny(app_configs, **kwargs): 

228 passed_check = not _xframe_middleware() or settings.X_FRAME_OPTIONS == "DENY" 

229 return [] if passed_check else [W019] 

230 

231 

232@register(Tags.security, deploy=True) 

233def check_allowed_hosts(app_configs, **kwargs): 

234 return [] if settings.ALLOWED_HOSTS else [W020] 

235 

236 

237@register(Tags.security, deploy=True) 

238def check_referrer_policy(app_configs, **kwargs): 

239 if _security_middleware(): 

240 if settings.SECURE_REFERRER_POLICY is None: 

241 return [W022] 

242 # Support a comma-separated string or iterable of values to allow fallback. 

243 if isinstance(settings.SECURE_REFERRER_POLICY, str): 

244 values = {v.strip() for v in settings.SECURE_REFERRER_POLICY.split(",")} 

245 else: 

246 values = set(settings.SECURE_REFERRER_POLICY) 

247 if not values <= REFERRER_POLICY_VALUES: 

248 return [E023] 

249 return [] 

250 

251 

252@register(Tags.security, deploy=True) 

253def check_cross_origin_opener_policy(app_configs, **kwargs): 

254 if ( 

255 _security_middleware() 

256 and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY is not None 

257 and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY 

258 not in CROSS_ORIGIN_OPENER_POLICY_VALUES 

259 ): 

260 return [E024] 

261 return []