def test_django_settings_contrib():
tree = generate_ast_from_code(
"""
DB_HOSTS = ["host.docker.internal" if STAGING or PRODUCTION else "minidb" if MINI_DB else "db"]
"""
)
violations = insights._check_django_common_misconfig(tree, "settings.py")
assert not violations
def test_django_insights():
tree = generate_ast_from_code("""
ALLOWED_HOSTS = ['*']
INSTALLED_APPS = [
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app.apps.AppConfig',
'bootstrap4',
'fullcalendar',
]
MIDDLEWARE = [
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'app.middleware.AnalyticsStorageMiddleware'
]
""")
violations = insights._check_django_common_misconfig(
tree, "/tmp/settings.py")
assert violations
msg_found = False
for v in violations:
if "security middleware" in v.short_description:
msg_found = True
break
assert msg_found
tree = generate_ast_from_code("""
ALLOWED_HOSTS = ['*']
INSTALLED_APPS = [
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app.apps.AppConfig',
'bootstrap4',
'fullcalendar',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'app.middleware.AnalyticsStorageMiddleware'
]
""")
violations = insights._check_django_common_misconfig(
tree, "/tmp/settings.py")
assert violations
msg_found = False
for v in violations:
if "CSRF protection" in v.short_description:
msg_found = True
break
assert msg_found
tree = generate_ast_from_code("""
ALLOWED_HOSTS = ['*']
INSTALLED_APPS = [
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app.apps.AppConfig',
'bootstrap4',
'fullcalendar',
]
MIDDLEWARE_CLASSES = [
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
]
""")
violations = insights._check_django_common_misconfig(
tree, "/tmp/settings.py")
assert violations
msg_found = False
for v in violations:
if "CSRF protection" in v.short_description:
msg_found = True
break
assert msg_found
tree = generate_ast_from_code("""
ALLOWED_HOSTS = ['*']
INSTALLED_APPS = [
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app.apps.AppConfig',
'bootstrap4',
'fullcalendar',
]
# A2: Broken Auth and Session Management
SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies"
""")
violations = insights._check_django_common_misconfig(
tree, "/tmp/settings.py")
assert violations
msg_found = False
for v in violations:
if "signed_cookies" in v.short_description:
msg_found = True
break
assert msg_found
tree = generate_ast_from_code("""
ALLOWED_HOSTS = ['*']
INSTALLED_APPS = [
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app.apps.AppConfig',
'bootstrap4',
'fullcalendar',
]
DEBUG_TOOLBAR_CONFIG = {
'SHOW_TOOLBAR_CALLBACK': 'badguys.settings.show_toolbar'
}
""")
violations = insights._check_django_common_misconfig(
tree, "/tmp/settings.py")
assert violations
msg_found = False
for v in violations:
if "django-debug-toolbar" in v.short_description:
msg_found = True
break
assert msg_found
def test_django_insights():
tree = generate_ast_from_code("""
ALLOWED_HOSTS = ['*']
INSTALLED_APPS = [
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app.apps.AppConfig',
'bootstrap4',
'fullcalendar',
]
MIDDLEWARE = [
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'app.middleware.AnalyticsStorageMiddleware'
]
""")
violations = insights._check_django_common_misconfig(
tree, "/tmp/settings.py")
assert violations
msg_found = False
for v in violations:
if "security middleware" in v.short_description:
msg_found = True
break
assert msg_found
tree = generate_ast_from_code("""
ALLOWED_HOSTS = ['*']
INSTALLED_APPS = [
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app.apps.AppConfig',
'bootstrap4',
'fullcalendar',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'app.middleware.AnalyticsStorageMiddleware'
]
""")
violations = insights._check_django_common_misconfig(
tree, "/tmp/settings.py")
assert violations
msg_found = False
for v in violations:
if "CSRF protection" in v.short_description:
msg_found = True
break
assert msg_found