Codemod: no-csrf-exempt decorator Semgrep

Question

Codemod: no-csrf-exempt decorator Semgrep

clavedeluna opened this issue 17 days ago · comments

    ❯❱ python.django.security.audit.csrf-exempt.no-csrf-exempt
          Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This
          could lead to an attacker manipulating the user's account and exfiltration of private data. Instead,
          create a function without this decorator.                                                           
          Details: https://sg.run/rd5e                                                                        
                                                                                                              
           17┆ @csrf_exempt
           18┆ def ssrf_code_checker(request):

The codemod here would be to remove the decorator, however, there are legitimate reasons to use this decorator some times. So do we want to create this codemod but make it merge after review?