Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More CSRF fixes. #958

Merged
merged 1 commit into from
Mar 21, 2024
Merged

More CSRF fixes. #958

merged 1 commit into from
Mar 21, 2024

Conversation

jwag956
Copy link
Collaborator

@jwag956 jwag956 commented Mar 20, 2024
edited
Loading

For application forms (not Flask-Security forms/views) the CSRF_PROTECT_MECHANISMS didn't stop form level CSRF checks. This PR changes how we communicate to form-based CSRF whether to proceed or not - used to use a FS-specific request attribute - but that only worked with forms instantiated by Flask-Security. Now, use Flask-WTF request attribute csrf_valid.

This also simplified the unauth_csrf() decorator so that the 'fall_through' parameter is no longer needed.

close #954

@codecov Codecov
Copy link

codecov bot commented Mar 20, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.47%. Comparing base (528d9a6) to head (56a5085).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #958      +/-   ##
==========================================
+ Coverage   98.44%   98.47%   +0.02%     
==========================================
  Files          35       35              
  Lines        4513     4513              
==========================================
+ Hits         4443     4444       +1     
+ Misses         70       69       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jwag956
More CSRF fixes.
56a5085 
For application forms (not Flask-Security forms/views) the CSRF_PROTECT_MECHANISMS didn't stop form level CSRF checks.
This PR changes how we communicate to form-based CSRF whether to proceed or not - used to use a FS-specific request attribute - but that only worked with forms instantiated by Flask-Security. Now, use Flask-WTF request attribute `csrf_valid`.

This also simplified the unauth_csrf() decorator so that the 'fall_through' parameter is no longer needed (and uses have been removed).

Add test for @unauth_csrf decorator raising error. Note that this returns a 400 with 'CSRF token is missing' - unlike the normal form-based CSRF check that returns it as a field error.
@jwag956 jwag956 merged commit 3c9c44d into master Mar 21, 2024
19 checks passed
@jwag956 jwag956 deleted the csrf954 branch March 21, 2024 21:19
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CSRF protection doesn't turn off on token requests
1 participant
@jwag956