Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.10/site-packages/django/core/checks/security/sessions.py: 45%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

40 statements  

1from django.conf import settings 

2 

3from .. import Tags, Warning, register 

4 

5 

6def add_session_cookie_message(message): 

7 return message + ( 

8 " Using a secure-only session cookie makes it more difficult for " 

9 "network traffic sniffers to hijack user sessions." 

10 ) 

11 

12 

13W010 = Warning( 

14 add_session_cookie_message( 

15 "You have 'django.contrib.sessions' in your INSTALLED_APPS, " 

16 "but you have not set SESSION_COOKIE_SECURE to True." 

17 ), 

18 id="security.W010", 

19) 

20 

21W011 = Warning( 

22 add_session_cookie_message( 

23 "You have 'django.contrib.sessions.middleware.SessionMiddleware' " 

24 "in your MIDDLEWARE, but you have not set " 

25 "SESSION_COOKIE_SECURE to True." 

26 ), 

27 id="security.W011", 

28) 

29 

30W012 = Warning( 

31 add_session_cookie_message("SESSION_COOKIE_SECURE is not set to True."), 

32 id="security.W012", 

33) 

34 

35 

36def add_httponly_message(message): 

37 return message + ( 

38 " Using an HttpOnly session cookie makes it more difficult for " 

39 "cross-site scripting attacks to hijack user sessions." 

40 ) 

41 

42 

43W013 = Warning( 

44 add_httponly_message( 

45 "You have 'django.contrib.sessions' in your INSTALLED_APPS, " 

46 "but you have not set SESSION_COOKIE_HTTPONLY to True.", 

47 ), 

48 id="security.W013", 

49) 

50 

51W014 = Warning( 

52 add_httponly_message( 

53 "You have 'django.contrib.sessions.middleware.SessionMiddleware' " 

54 "in your MIDDLEWARE, but you have not set " 

55 "SESSION_COOKIE_HTTPONLY to True." 

56 ), 

57 id="security.W014", 

58) 

59 

60W015 = Warning( 

61 add_httponly_message("SESSION_COOKIE_HTTPONLY is not set to True."), 

62 id="security.W015", 

63) 

64 

65 

66@register(Tags.security, deploy=True) 

67def check_session_cookie_secure(app_configs, **kwargs): 

68 if settings.SESSION_COOKIE_SECURE is True: 

69 return [] 

70 errors = [] 

71 if _session_app(): 

72 errors.append(W010) 

73 if _session_middleware(): 

74 errors.append(W011) 

75 if len(errors) > 1: 

76 errors = [W012] 

77 return errors 

78 

79 

80@register(Tags.security, deploy=True) 

81def check_session_cookie_httponly(app_configs, **kwargs): 

82 if settings.SESSION_COOKIE_HTTPONLY is True: 

83 return [] 

84 errors = [] 

85 if _session_app(): 

86 errors.append(W013) 

87 if _session_middleware(): 

88 errors.append(W014) 

89 if len(errors) > 1: 

90 errors = [W015] 

91 return errors 

92 

93 

94def _session_middleware(): 

95 return "django.contrib.sessions.middleware.SessionMiddleware" in settings.MIDDLEWARE 

96 

97 

98def _session_app(): 

99 return "django.contrib.sessions" in settings.INSTALLED_APPS