Skip to content

Instantly share code, notes, and snippets.

@codingjoe

codingjoe/django-31983.diff

Created September 29, 2020 13:30
Show Gist options
  • Save codingjoe/d610351beea19ebbf9651503d791bc46 to your computer and use it in GitHub Desktop.
Save codingjoe/d610351beea19ebbf9651503d791bc46 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
django-31983.diff
diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py
index c21725518b..ecd5f5e004 100644
--- a/django/core/checks/security/base.py
+++ b/django/core/checks/security/base.py
@@ -4,6 +4,8 @@ from django.conf import settings
from django.core.exceptions import ImproperlyConfigured
from .. import Error, Tags, Warning, register
+from ...cache import caches
+from ...cache.backends.filebased import FileBasedCache
REFERRER_POLICY_VALUES = {
'no-referrer', 'no-referrer-when-downgrade', 'origin',
@@ -242,19 +244,17 @@ def check_cache_and_media_root(app_configs, **kwargs):
if not settings.MEDIA_ROOT:
return []
_media_root = os.path.abspath(settings.MEDIA_ROOT)
- for cache_name, cache_params in settings.CACHES.items():
- if 'django.core.cache.backends.filebased.FileBasedCache' in cache_params['BACKEND']:
+ for alias, cache in caches:
+ if isinstance(cache, FileBasedCache):
location_check = (
_media_root,
- cache_params['LOCATION'],
+ cache._dir,
)
if os.path.commonpath(location_check) == _media_root:
return [Warning(
"Your cache configuration might expose or corrupt your file system.",
- hint="You cache '%(cache_name)s' is inside your 'MEDIA_ROOT'" % {
- 'cache_name': cache_name
- },
- id='security.W023',
+ hint=f"You cache '{alias}' is inside your 'MEDIA_ROOT'",
+ id='security.W024',
)]
return []
@@ -264,19 +264,17 @@ def check_cache_and_static_root(app_configs, **kwargs):
if not settings.STATIC_ROOT:
return []
_static_root = os.path.abspath(settings.STATIC_ROOT)
- for cache_name, cache_params in settings.CACHES.items():
- if 'django.core.cache.backends.filebased.FileBasedCache' in cache_params['BACKEND']:
+ for alias, cache in caches:
+ if isinstance(cache, FileBasedCache):
location_check = (
_static_root,
- cache_params['LOCATION'],
+ cache._dir,
)
if os.path.commonpath(location_check) == _static_root:
return [Warning(
"Your cache configuration might expose or corrupt your file system.",
- hint="You cache '%(cache_name)s' is inside your 'STATIC_ROOT'" % {
- 'cache_name': cache_name
- },
- id='security.W023',
+ hint=f"You cache '{alias}' is inside your 'STATIC_ROOT'",
+ id='security.W024',
)]
return []
@@ -288,16 +286,14 @@ def check_cache_and_staticfiles_dirs(app_configs, **kwargs):
_abs_static_files_dirs = set()
for root in settings.STATICFILES_DIRS:
_abs_static_files_dirs.add(os.path.abspath(root))
- for cache_name, cache_params in settings.CACHES.items():
- if 'django.core.cache.backends.filebased.FileBasedCache' in cache_params['BACKEND']:
- if any(os.path.commonpath((_root, cache_params['LOCATION'])) == _root
+ for alias, cache in caches:
+ if isinstance(cache, FileBasedCache):
+ if any(os.path.commonpath((_root, cache._dir)) == _root
for _root in _abs_static_files_dirs):
return [Warning(
"Your cache configuration might expose or corrupt your file system.",
- hint="You cache '%(cache_name)s' is inside your 'STATICFILES_DIRS'" % {
- 'cache_name': cache_name
- },
- id='security.W023',
+ hint=f"You cache '{alias}' is inside your 'STATICFILES_DIRS'",
+ id='security.W024',
)]
return []
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt
index 0e1ee50b46..277d529a96 100644
--- a/docs/ref/checks.txt
+++ b/docs/ref/checks.txt
@@ -483,6 +483,8 @@ The following checks are run if you use the :option:`check --deploy` option:
should consider enabling this header to protect user privacy.
* **security.E023**: You have set the :setting:`SECURE_REFERRER_POLICY` setting
to an invalid value.
+* **security.W24**: You have set the :setting:`CACHES` ``LOCATION`` setting
+ to directory otherwise used by the application.
The following checks verify that your security-related settings are correctly
configured:
diff --git a/docs/releases/3.2.txt b/docs/releases/3.2.txt
index e66e5777d5..f12ef716df 100644
--- a/docs/releases/3.2.txt
+++ b/docs/releases/3.2.txt
@@ -335,6 +335,9 @@ Security
``SECRET_KEY``, and then going on to access ``settings.SECRET_KEY`` will now
raise an :exc:`~django.core.exceptions.ImproperlyConfigured` exception.
+* The new ``security.W24`` warning alerts about suspicious cache locations
+ when using the :class:`~django.core.cache.backends.filebased.FileBasedCache`.
+
Serialization
~~~~~~~~~~~~~
diff --git a/tests/check_framework/test_security.py b/tests/check_framework/test_security.py
index 7fba0798e2..f6f6d3937a 100644
--- a/tests/check_framework/test_security.py
+++ b/tests/check_framework/test_security.py
@@ -483,7 +483,7 @@ class CheckCacheLocationTest(SimpleTestCase):
self.assertEqual(base.check_cache_and_media_root(None), [Warning(
"Your cache configuration might expose or corrupt your file system.",
hint="You cache 'default' is inside your 'MEDIA_ROOT'",
- id='security.W023',
+ id='security.W024',
)])
@override_settings(
@@ -511,7 +511,7 @@ class CheckCacheLocationTest(SimpleTestCase):
self.assertEqual(base.check_cache_and_static_root(None), [Warning(
"Your cache configuration might expose or corrupt your file system.",
hint="You cache 'default' is inside your 'STATIC_ROOT'",
- id='security.W023',
+ id='security.W024',
)])
@override_settings(
@@ -541,7 +541,7 @@ class CheckCacheLocationTest(SimpleTestCase):
self.assertEqual(base.check_cache_and_staticfiles_dirs(None), [Warning(
"Your cache configuration might expose or corrupt your file system.",
hint="You cache 'default' is inside your 'STATICFILES_DIRS'",
- id='security.W023',
+ id='security.W024',
)])
@override_settings(
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment