SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).

Related tags

Flask flask-seasurf
Overview

Flask-SeaSurf

build status

SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).

CSRF vulnerabilities have been found in large and popular sites such as YouTube. These attacks are problematic because the mechanism they use is relatively easy to exploit. This extension attempts to aid you in securing your application from such attacks.

This extension is based on the excellent Django middleware.

Installation

Install the extension with one of the following commands:

$ easy_install flask-seasurf

or alternatively if you have pip installed:

$ pip install flask-seasurf

Usage

Using SeaSurf is fairly straightforward. Begin by importing the extension and then passing your application object back to the extension, like this:

from flask_seasurf import SeaSurf
csrf = SeaSurf(app)

Documentation

The Sphinx-compiled documentation is available here: https://flask-seasurf.readthedocs.io/

Comments
  • remove secret from hashed cookie value

    remove secret from hashed cookie value

    I would like to discuss the reason behind using the app's secret key in the hashed csrf token cookie value.

    Hashing the secret key in the CSRF token cookie value means if someone discovers how to predict python's random number generation then they will have an unsalted hash of the app's secret key.

    The point of FlaskSeaSurf is to validate the X-CSRFToken header value equals the randomly generated CSRF token cookie value. This ensures the request is coming code running on the same domain as the csrf token cookie. How does using the app's secret key provide any added security?

    Some info on when Python's random number generator becomes predictable:

    http://www.godsmonsters.com/Features/how-random-python/

    http://stackoverflow.com/questions/2145510/python-random-is-barely-random-at-all

    https://spideroak.com/blog/20121205114003-exploit-information-leaks-in-random-numbers-from-python-ruby-and-php

    opened by alanhamlett 13
  • `init_app` does not support multiple apps in the same process

    `init_app` does not support multiple apps in the same process

    By setting self.app = app in init_app, you can't effectively share one instance of SeaSurf in the same process that has multiple Flask apps. self.app should only be set in the SeaSurf constructor.

    opened by mattupstate 11
  • Python Code Injection

    Python Code Injection

    While running a dynamic scan against an app protected by seasurf, Burp Suite Pro flagged an issue with the CSRF token.

    For a GET operation, it altered the _csrf_token value as below, and raised an alarm when the app didn't respond for > 20 seconds, indicating the sleep operation was successfully run, indicating a Python injection vulnerability.

    Cookie: _csrf_token=eval(compile('for%20x%20in%20range(1)%3a%5cn%20import%20time%5cn%20time.sleep(20)'%2c'a'%2c'single'));

    opened by edmacke 10
  • Updated Pypi release

    Updated Pypi release

    The last release to pypi was 0.2.2 on 3/16/2016. It looks like some of the commits since then are nice to have published. Is there another release planned?

    opened by jasco 10
  • Remove Jinja2 dependency for better AJAX support

    Remove Jinja2 dependency for better AJAX support

    Currently, flask-seasurf will only send the client a cookie containing a CSRF token if someone has called the _get_token() function, usually from a Jinja2 view.

    If you are doing AJAX requests and don't use the Jinja2 tag {{ csrf_token }} - that is, if you just want to use the value in the cookie for doing some AJAX after loading a CSRF-protected view, this change lets you do that.

    It adds a bit of the request context into the application global g so that the response can know whether or not it should include a cookie. I thought that it would be reasonable to set the cookie on the response if the page should be protected per the app config.

    Because all views that are protected per the config can now get the cookie upon render, there is no need to check and see if someone actually used the csrf_token tag. Previously, the 'used' flag was never set, meaning the cookie never got set.

    opened by zdexter 10
  • wrong comparison, making it potentially pointless

    wrong comparison, making it potentially pointless

    i think the csrf token must not just be stored in a cookie.

    A cookie comes from the client. The cookie name is known and the client (attacker) can (at least potentially) put any value it likes in there. Maybe not easily (different domain) , but browsers could have bugs also...

    Then, you compare that value against another value (the csrf token form field or http header value) that also comes from same client.

    So, if client just puts same value at both places, it can do any csrf it likes.

    If the csrf token is not read from the cookie, but from the session (which either comes from a file on the server or from a signed SecureCookie), the client can not tamper it.

    See also there: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

    And there: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ """ Limitations

    Subdomains within a site will be able to set cookies on the client for the whole domain. By setting the cookie and using a corresponding token, subdomains will be able to circumvent the CSRF protection. The only way to avoid this is to ensure that subdomains are controlled by trusted users (or, are at least unable to set cookies). Note that even without CSRF, there are other vulnerabilities, such as session fixation, that make giving subdomains to untrusted parties a bad idea, and these vulnerabilities cannot easily be fixed with current browsers. """

    opened by ThomasWaldmann 10
  • Token validation for GET requests

    Token validation for GET requests

    I've been reading about CSRF and it looks like one should only do retrieval with GET request and everything else with a POST request. This is quite inconvenient with a list of delete links in a list or a logout link.

    opened by FSX 8
  • "Include" view decorator

    I added include decorator and one parametr in app config 'SEASURF_INCLUDE_OR_EXEMPT_VIEWS'. Also add new test for new decorator and some minor changes.

    opened by klinkin 8
  • add exempt url prefix support

    add exempt url prefix support

    In current version, only views could be exempted from CSRF check. It seems not that convenient sometimes since users have to put csrf.exempt to each views.

    I just added a new method to allow users to exempt from CSRF check based on url rules.

    opened by killpanda 7
  • Document testing?

    Document testing?

    The fact that you can disable testing with app.config["TESTING"] = True is amazing.

    I'm not sure about the security implementations but please document this in the official documentations.

    opened by shuhaowu 5
  • strange token generation code

    strange token generation code

    what is the point of that code (compared to just using a random value as csrf token)?:

        salt = (randrange(0, _MAX_CSRF_KEY), self._secret_key)
        return str(hashlib.sha1('%s%s' % salt).hexdigest())
    

    (flask-csrf just uses str(uuid4()) btw.)

    opened by ThomasWaldmann 5
  • Can't add exempt for Blueprints

    Can't add exempt for Blueprints

    Anyone got a hint how to add a Blueprint's route to the _exempt_views set? Something like csrf._exempt_views.add("bp_user.someroute") Importing the root @csrf.exempt decorator in the Blueprint doesn't seem to work either

    opened by marban 1
  • disable_cookie prevents token value being stored in session

    disable_cookie prevents token value being stored in session

    I might be missing something here, but there seems to be a flaw with the disable_cookie logic.

    If I set disable_cookie to True using app.csrf.disable_cookie(lambda r: True) Seasurf stops returning the set-cookie header as expected. However, the token value it generated (in its _before_request function) only seems to get set into session during the _set_csrf_cookie function, which is now bypassed because I have disabled_cookies. Since the token is never set into session, a new token will be generated on every request so I will never be able to get CSRF to pass validation.

    The only way around this is to call current_app.csrf.generate_new_token() in the view function, as this function does set the new token value into session, but that means a new token value will be generated every request (thankfully previous ones will validate before they change).

    Would it not make more sense to set the token value into session in _before_request when it is generated? Perhaps I am missing something obvious here?

    opened by psycle-dblakemore 0
  • Way to select session or cookie based tokens?

    Way to select session or cookie based tokens?

    With the django middleware the default settings are such that the CSRF token is stored in a cookie, with an optional setting to store in a server side session instead of using the cookie.

    With Flask-Seasurf it appears that the default is to store the token in both the session and the cookie, but always use the session to validate against. I can't see a way to configure things to set just the session and not the cookie, or to use just the cookie and not store/validate against the session.

    There is a disable_cookie() decorator, but that appears to disable session based storage too (as the session is actually updated in _set_session_cookie), Not sure if that's intentional - feels like a bug?

    Ideally it would be nice for Flask-Seasurf to have the same flexibility as the django middleware, but if not it would be good to get a way to optionally disable the cookie as it doesn't seem to be strictly required.

    feature-request 
    opened by rkerr 0
  • Document options loaded from app.config in init_app

    Document options loaded from app.config in init_app

    The init_app function loads some options from app.config, I think this should be added to the docs, as it provides a mean of configuration.

    self._csrf_name = app.config.get('CSRF_COOKIE_NAME', '_csrf_token')
    self._csrf_header_name = app.config.get('CSRF_HEADER_NAME',
                                                    'X-CSRFToken')
    self._csrf_disable = app.config.get('CSRF_DISABLE',
                                                app.config.get('TESTING', False))
    self._csrf_timeout = app.config.get('CSRF_COOKIE_TIMEOUT',
                                                timedelta(days=5))
    self._csrf_secure = app.config.get('CSRF_COOKIE_SECURE', False)
    self._csrf_httponly = app.config.get('CSRF_COOKIE_HTTPONLY', False)
    self._type = app.config.get('SEASURF_INCLUDE_OR_EXEMPT_VIEWS',
                                        'exempt')
    

    Especially CSRF_COOKIE_NAME which can be set to 'csrf_token' to get compatibility with Flask-Admin.

    good first issue 
    opened by nomorepanic 2
Owner
Max Countryman
Distributed systems, functional programming, cloud computing.
Max Countryman
Flask-Bcrypt is a Flask extension that provides bcrypt hashing utilities for your application.

Flask-Bcrypt Flask-Bcrypt is a Flask extension that provides bcrypt hashing utilities for your application. Due to the recent increased prevelance of

Max Countryman 282 Feb 11, 2021
flask-apispec MIT flask-apispec (🥉24 · ⭐ 520) - Build and document REST APIs with Flask and apispec. MIT

flask-apispec flask-apispec is a lightweight tool for building REST APIs in Flask. flask-apispec uses webargs for request parsing, marshmallow for res

Joshua Carp 617 Dec 30, 2022
Live Corona statistics and information site with flask.

Flask Live Corona Info Live Corona statistics and information site with flask. Tools Flask Scrapy Matplotlib How to Run Project Download Codes git clo

Mohammad Dori 5 Jul 15, 2022
MongoEngine flask extension with WTF model forms support

Flask-MongoEngine Info: MongoEngine for Flask web applications. Repository: https://github.com/MongoEngine/flask-mongoengine About Flask-MongoEngine i

MongoEngine 815 Jan 3, 2023
A caching extension for Flask

Flask-Caching Adds easy cache support to Flask. This is a fork of the Flask-Cache extension. Flask-Caching also includes the cache module from werkzeu

Peter Justin 774 Jan 2, 2023
Rate Limiting extension for Flask

Flask-Limiter Flask-Limiter provides rate limiting features to flask routes. It has support for a configurable backend for storage with current implem

Ali-Akber Saifee 922 Jan 8, 2023
A flask extension using pyexcel to read, manipulate and write data in different excel formats: csv, ods, xls, xlsx and xlsm.

Flask-Excel - Let you focus on data, instead of file formats Support the project If your company has embedded pyexcel and its components into a revenu

null 247 Dec 27, 2022
flask extension for integration with the awesome pydantic package

Flask-Pydantic Flask extension for integration of the awesome pydantic package with Flask. Installation python3 -m pip install Flask-Pydantic Basics v

null 249 Jan 6, 2023
A Flask extension that enables or disables features based on configuration.

Flask FeatureFlags This is a Flask extension that adds feature flagging to your applications. This lets you turn parts of your site on or off based on

Rachel Greenfield 131 Sep 26, 2022
A Flask extension that enables or disables features based on configuration.

Flask FeatureFlags This is a Flask extension that adds feature flagging to your applications. This lets you turn parts of your site on or off based on

Rachel Greenfield 124 Jan 22, 2021
A Flask extension that enables or disables features based on configuration.

Flask FeatureFlags This is a Flask extension that adds feature flagging to your applications. This lets you turn parts of your site on or off based on

Rachel Greenfield 131 Sep 26, 2022
An extension to add support of Plugin in Flask.

An extension to add support of Plugin in Flask.

Doge Gui 31 May 19, 2022
Cross Origin Resource Sharing ( CORS ) support for Flask

Flask-CORS A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible. This package has a simple philosoph

Cory Dolphin 803 Jan 1, 2023
Flask-Rebar combines flask, marshmallow, and swagger for robust REST services.

Flask-Rebar Flask-Rebar combines flask, marshmallow, and swagger for robust REST services. Features Request and Response Validation - Flask-Rebar reli

PlanGrid 223 Dec 19, 2022
Flask-Starter is a boilerplate starter template designed to help you quickstart your Flask web application development.

Flask-Starter Flask-Starter is a boilerplate starter template designed to help you quickstart your Flask web application development. It has all the r

Kundan Singh 259 Dec 26, 2022
Brandnew-flask is a CLI tool used to generate a powerful and mordern flask-app that supports the production environment.

Brandnew-flask is still in the initial stage and needs to be updated and improved continuously. Everyone is welcome to maintain and improve this CLI.

brandonye 4 Jul 17, 2022
Flask Project Template A full feature Flask project template.

Flask Project Template A full feature Flask project template. See also Python-Project-Template for a lean, low dependency Python app. HOW TO USE THIS

Bruno Rocha 96 Dec 23, 2022
A Fast API style support for Flask. Gives you MyPy types with the flexibility of flask

Flask-Fastx Flask-Fastx is a Fast API style support for Flask. It Gives you MyPy types with the flexibility of flask. Compatibility Flask-Fastx requir

Tactful.ai 18 Nov 26, 2022
Flask-app scaffold, generate flask restful backend

Flask-app scaffold, generate flask restful backend

jacksmile 1 Nov 24, 2021