semgrep remove scrf exempt decorator (#755)

clavedeluna · web-flow · commit adeef456c745 · 2024-07-30T10:33:49.000Z
diff --git a/src/codemodder/scripts/generate_docs.py b/src/codemodder/scripts/generate_docs.py
@@ -347,6 +347,11 @@ class DocMetadata:
         guidance_explained="This codemod updates the key size for RSA to the `2048` recommended minimum. Since this is an important security fix that follows modern cryptographic standards, we believe this change can be safely merged without review.",
         need_sarif="Yes (Semgrep)",
     ),
+    "no-csrf-exempt": DocMetadata(
+        importance="Medium",
+        guidance_explained="This codemod removes the `@csrf_exempt` decorator from a Django view to ensure it's protected against CSRF attacks. However, there are valid cases for using this decorator so make sure to review your application to determine if this is the case.",
+        need_sarif="Yes (Semgrep)",
+    ),
 }
 ALL_CODEMODS_METADATA = (
     CORE_CODEMODS | DEFECTDOJO_CODEMODS | SONAR_CODEMODS | SEMGREP_CODEMODS
diff --git a/src/core_codemods/__init__.py b/src/core_codemods/__init__.py
@@ -58,6 +58,7 @@
 from .semgrep.semgrep_enable_jinja2_autoescape import SemgrepEnableJinja2Autoescape
 from .semgrep.semgrep_harden_pyyaml import SemgrepHardenPyyaml
 from .semgrep.semgrep_jwt_decode_verify import SemgrepJwtDecodeVerify
+from .semgrep.semgrep_no_csrf_exempt import SemgrepNoCsrfExempt
 from .semgrep.semgrep_rsa_key_size import SemgrepRsaKeySize
 from .semgrep.semgrep_sql_parametrization import SemgrepSQLParameterization
 from .semgrep.semgrep_subprocess_shell_false import SemgrepSubprocessShellFalse
@@ -207,6 +208,7 @@
     codemods=[
         SemgrepUrlSandbox,
         SemgrepEnableJinja2Autoescape,
+        SemgrepNoCsrfExempt,
         SemgrepJwtDecodeVerify,
         SemgrepUseDefusedXml,
         SemgrepSubprocessShellFalse,
diff --git a/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py b/src/core_codemods/semgrep/semgrep_no_csrf_exempt.py
@@ -0,0 +1,61 @@
+import libcst as cst
+
+from codemodder.codemods.base_codemod import (
+    Metadata,
+    ReviewGuidance,
+    ToolMetadata,
+    ToolRule,
+)
+from codemodder.codemods.libcst_transformer import (
+    LibcstResultTransformer,
+    LibcstTransformerPipeline,
+)
+from codemodder.codemods.semgrep import SemgrepSarifFileDetector
+from codemodder.codemods.utils_mixin import NameResolutionMixin
+from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id
+
+
+class RemoveCsrfExemptTransformer(LibcstResultTransformer, NameResolutionMixin):
+    change_description = "Remove `@csrf_exempt` decorator from Django view"
+
+    def leave_Decorator(
+        self, original_node: cst.Decorator, updated_node: cst.Decorator
+    ):
+        if not self.filter_by_path_includes_or_excludes(
+            self.node_position(original_node)
+        ):
+            return updated_node
+
+        if (
+            self.find_base_name(original_node.decorator)
+            == "django.views.decorators.csrf.csrf_exempt"
+        ):
+            self.report_change(original_node)
+            return cst.RemovalSentinel.REMOVE
+        return original_node
+
+
+SemgrepNoCsrfExempt = SemgrepCodemod(
+    metadata=Metadata(
+        name="no-csrf-exempt",
+        summary=RemoveCsrfExemptTransformer.change_description.title(),
+        description=RemoveCsrfExemptTransformer.change_description.title(),
+        review_guidance=ReviewGuidance.MERGE_AFTER_REVIEW,
+        tool=ToolMetadata(
+            name="Semgrep",
+            rules=[
+                ToolRule(
+                    id=(
+                        rule_id := "python.django.security.audit.csrf-exempt.no-csrf-exempt"
+                    ),
+                    name="no-csrf-exempt",
+                    url=semgrep_url_from_id(rule_id),
+                )
+            ],
+        ),
+        references=[],
+    ),
+    transformer=LibcstTransformerPipeline(RemoveCsrfExemptTransformer),
+    detector=SemgrepSarifFileDetector(),
+    requested_rules=[rule_id],
+)
diff --git a/tests/codemods/semgrep/test_semgrep_no_csrf_exempt.py b/tests/codemods/semgrep/test_semgrep_no_csrf_exempt.py
@@ -0,0 +1,118 @@
+import json
+
+from codemodder.codemods.test import BaseSASTCodemodTest
+from core_codemods.semgrep.semgrep_no_csrf_exempt import SemgrepNoCsrfExempt
+
+
+class TestSemgrepNoCsrfExempt(BaseSASTCodemodTest):
+    codemod = SemgrepNoCsrfExempt
+    tool = "semgrep"
+
+    def test_name(self):
+        assert self.codemod.name == "no-csrf-exempt"
+
+    def test_decorators(self, tmpdir):
+        input_code = """\
+        from django.http import JsonResponse
+        from django.views.decorators.csrf import csrf_exempt
+        from django.dispatch import receiver
+        from django.core.signals import request_finished
+        
+        @csrf_exempt
+        def ssrf_code_checker(request):
+            if request.user.is_authenticated:
+                if request.method == 'POST':
+                    return JsonResponse({'message': 'Testbench failed'}, status=200)
+            return JsonResponse({'message': 'UnAuthenticated User'}, status=401)
+        
+        
+        @receiver(request_finished)
+        @csrf_exempt
+        def foo():
+            pass
+        """
+        expected_output = """\
+        from django.http import JsonResponse
+        from django.views.decorators.csrf import csrf_exempt
+        from django.dispatch import receiver
+        from django.core.signals import request_finished
+        
+        def ssrf_code_checker(request):
+            if request.user.is_authenticated:
+                if request.method == 'POST':
+                    return JsonResponse({'message': 'Testbench failed'}, status=200)
+            return JsonResponse({'message': 'UnAuthenticated User'}, status=401)
+        
+        
+        @receiver(request_finished)
+        def foo():
+            pass
+        """
+
+        results = {
+            "runs": [
+                {
+                    "results": [
+                        {
+                            "fingerprints": {"matchBasedId/v1": "a3ca2"},
+                            "locations": [
+                                {
+                                    "physicalLocation": {
+                                        "artifactLocation": {
+                                            "uri": "code.py",
+                                            "uriBaseId": "%SRCROOT%",
+                                        },
+                                        "region": {
+                                            "endColumn": 73,
+                                            "endLine": 11,
+                                            "snippet": {
+                                                "text": "@csrf_exempt\ndef ssrf_code_checker(request):\n    if request.user.is_authenticated:\n        if request.method == 'POST':\n            return JsonResponse({'message': 'Testbench failed'}, status=200)\n    return JsonResponse({'message': 'UnAuthenticated User'}, status=401)"
+                                            },
+                                            "startColumn": 1,
+                                            "startLine": 6,
+                                        },
+                                    }
+                                }
+                            ],
+                            "message": {
+                                "text": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user's account and exfiltration of private data. Instead, create a function without this decorator."
+                            },
+                            "ruleId": "python.django.security.audit.csrf-exempt.no-csrf-exempt",
+                        },
+                        {
+                            "fingerprints": {"matchBasedId/v1": "1cc62"},
+                            "locations": [
+                                {
+                                    "physicalLocation": {
+                                        "artifactLocation": {
+                                            "uri": "code.py",
+                                            "uriBaseId": "%SRCROOT%",
+                                        },
+                                        "region": {
+                                            "endColumn": 9,
+                                            "endLine": 17,
+                                            "snippet": {
+                                                "text": "@receiver(request_finished)\n@csrf_exempt\ndef foo():\n    pass"
+                                            },
+                                            "startColumn": 1,
+                                            "startLine": 14,
+                                        },
+                                    }
+                                }
+                            ],
+                            "message": {
+                                "text": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user's account and exfiltration of private data. Instead, create a function without this decorator."
+                            },
+                            "ruleId": "python.django.security.audit.csrf-exempt.no-csrf-exempt",
+                        },
+                    ],
+                }
+            ]
+        }
+        self.run_and_assert(
+            tmpdir,
+            input_code,
+            expected_output,
+            results=json.dumps(results),
+            num_changes=2,
+        )
