Django Unsafe Configuration

ID

python.django_unsafe_configuration

Severity

high

Resource

Misconfiguration

Language

Python

Tags

CWE-693, CWE:284, CWE:319, CWE:328, CWE:489, CWE:798, CWE:942, NIST.SP.800-53, OWASP:2021:A2, OWASP:2021:A5, OWASP:2021:A7, PCI-DSS:3.6.1, PCI-DSS:6.5.6, django

Description

Unsafe configurations in Django can lead to security vulnerabilities.

Rationale

Some of the Django configurations may lead to security vulnerabilities:

  • checkAllowedHosts: When enabled it checks if the ALLOWED_HOSTS setting has been properly set. This setting helps to prevent HTTP host header attacks.

  • checkDebug: When enabled it may lead to sensitive information exposure.

  • checkHardcodedSecret: When secret key is hardcoded it may expose the application to security risks if the key is leaked.

  • checkSecureSslRedirect: When enabled, SECURE_SSL_REDIRECT ensures all traffic to your site is securely encrypted, enhancing user trust and meeting compliance standards.

  • checkSecurityMiddleware: When the middleware django.middleware.security.SecurityMiddleware is included it adds protection against various attacks, such as man-in-the-middle attacks, by ensuring secure data transmission.

  • checkWeakHash: When weak password hashing configurations are used they enable easy cracking through brute force, rainbow table attacks, and lack of salting.

Here is a vulnerable code example for Django (this snippet belong to a settings.py file):

ALLOWED_HOSTS = ["*"] # FLAW

DEBUG = True  # FLAW

MIDDLEWARE = [ # FLAW
    "django.middleware.common.CommonMiddleware",
    "django.middleware.locale.LocaleMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
]

PASSWORD_HASHERS = [  # FLAW
    "django.contrib.auth.hashers.SHA1PasswordHasher",
]

SECRET_KEY = "sxxpW8y1d4nycVK84cyYtD0RGmNiYpk684cyYtD0RGmNiYpk6" # FLAW

SECURE_SSL_REDIRECT = False # FLAW

CORS_ALLOW_ALL_ORIGINS = True # FLAW

Remediation

The sanitized version of the previous example would look like this:

import os

ALLOWED_HOSTS = ["my-site.com"]

DEBUG = False

MIDDLEWARE = [ # FLAW
    "django.middleware.common.CommonMiddleware",
    "django.middleware.locale.LocaleMiddleware",
    "django.middleware.security.SecurityMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
]

PASSWORD_HASHERS = [
   "django.contrib.auth.hashers.PBKDF2PasswordHasher",
]

SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')

SECURE_SSL_REDIRECT = True

CORS_ALLOW_ALL_ORIGINS = False

Configuration

The detector has the following configurable parameters:

  • checkAllowedHosts, that indicates if the ALLOWED_HOSTS configuration must be checked.

  • checkCorsAllowAllOrigins, that indicates if the CORS_ALLOW_ALL_ORIGINS configuration must be checked.

  • checkDebug, that indicates if the debug configuration must be checked.

  • checkHardcodedSecret, that indicates if the hardcoded secret must be checked.

  • checkSecureSslRedirect, that indicates if the detector should ensure that SECURE_SSL_REDIRECT is enabled.

  • checkSecurityMiddleware, that indicates if the Django SecurityMiddleware existence must be checked.

  • checkWeakHash, that indicates if weak password hashing configurations must be checked.

References