Coverage for /var/srv/projects/api.amasfac.comuna18.com/tmp/venv/lib/python3.9/site-packages/django/core/checks/security/sessions.py: 33%

38 statements  

« prev     ^ index     » next       coverage.py v6.4.4, created at 2023-07-17 14:22 -0600

1from django.conf import settings 

2 

3from .. import Tags, Warning, register 

4 

5 

6def add_session_cookie_message(message): 

7 return message + ( 

8 " Using a secure-only session cookie makes it more difficult for " 

9 "network traffic sniffers to hijack user sessions." 

10 ) 

11 

12 

13W010 = Warning( 

14 add_session_cookie_message( 

15 "You have 'django.contrib.sessions' in your INSTALLED_APPS, " 

16 "but you have not set SESSION_COOKIE_SECURE to True." 

17 ), 

18 id="security.W010", 

19) 

20 

21W011 = Warning( 

22 add_session_cookie_message( 

23 "You have 'django.contrib.sessions.middleware.SessionMiddleware' " 

24 "in your MIDDLEWARE, but you have not set " 

25 "SESSION_COOKIE_SECURE to True." 

26 ), 

27 id="security.W011", 

28) 

29 

30W012 = Warning( 

31 add_session_cookie_message("SESSION_COOKIE_SECURE is not set to True."), 

32 id="security.W012", 

33) 

34 

35 

36def add_httponly_message(message): 

37 return message + ( 

38 " Using an HttpOnly session cookie makes it more difficult for " 

39 "cross-site scripting attacks to hijack user sessions." 

40 ) 

41 

42 

43W013 = Warning( 

44 add_httponly_message( 

45 "You have 'django.contrib.sessions' in your INSTALLED_APPS, " 

46 "but you have not set SESSION_COOKIE_HTTPONLY to True.", 

47 ), 

48 id="security.W013", 

49) 

50 

51W014 = Warning( 

52 add_httponly_message( 

53 "You have 'django.contrib.sessions.middleware.SessionMiddleware' " 

54 "in your MIDDLEWARE, but you have not set " 

55 "SESSION_COOKIE_HTTPONLY to True." 

56 ), 

57 id="security.W014", 

58) 

59 

60W015 = Warning( 

61 add_httponly_message("SESSION_COOKIE_HTTPONLY is not set to True."), 

62 id="security.W015", 

63) 

64 

65 

66@register(Tags.security, deploy=True) 

67def check_session_cookie_secure(app_configs, **kwargs): 

68 errors = [] 

69 if not settings.SESSION_COOKIE_SECURE: 

70 if _session_app(): 

71 errors.append(W010) 

72 if _session_middleware(): 

73 errors.append(W011) 

74 if len(errors) > 1: 

75 errors = [W012] 

76 return errors 

77 

78 

79@register(Tags.security, deploy=True) 

80def check_session_cookie_httponly(app_configs, **kwargs): 

81 errors = [] 

82 if not settings.SESSION_COOKIE_HTTPONLY: 

83 if _session_app(): 

84 errors.append(W013) 

85 if _session_middleware(): 

86 errors.append(W014) 

87 if len(errors) > 1: 

88 errors = [W015] 

89 return errors 

90 

91 

92def _session_middleware(): 

93 return "django.contrib.sessions.middleware.SessionMiddleware" in settings.MIDDLEWARE 

94 

95 

96def _session_app(): 

97 return "django.contrib.sessions" in settings.INSTALLED_APPS