Codemod: no-csrf-exempt decorator Semgrep
clavedeluna opened this issue · comments
Dani Alcala commented
❯❱ python.django.security.audit.csrf-exempt.no-csrf-exempt
Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This
could lead to an attacker manipulating the user's account and exfiltration of private data. Instead,
create a function without this decorator.
Details: https://sg.run/rd5e
17┆ @csrf_exempt
18┆ def ssrf_code_checker(request):
The codemod here would be to remove the decorator, however, there are legitimate reasons to use this decorator some times. So do we want to create this codemod but make it merge after review?