sdelements / django-security Goto Github PK

simplejson has been deprecated since the release of django 1.5; see https://docs.djangoproject.com/en/dev/internals/deprecation/#deprecation-removed-in-1-7 for details.

<...snip...>
  File "./local/lib/python2.7/site-packages/security/middleware.py", line 13, in <module>
    from django.utils import simplejson as json, timezone
ImportError: cannot import name simplejson

Django-security documentation at http://django-security.readthedocs.org/en/latest/ seems to be broken (empty).

Having installed via PIP I am getting a message saying that Django 1.4 is not supported. Is there anything in the pipeline for support?

Found this issue also.

security.PasswordExpiry.user: (fields.W342) Setting unique=True on a ForeignKey has the same effect as using a OneToOneField.
HINT: ForeignKey(unique=True) is usually better served by a OneToOneField.

I have personally run into this before and swapping out the ForeignKey for the OneToOneField had been backwards compatible, meaning old could should not break.

On readdocs there no configuration at all. so not possible to see what options are required

We'd like to be able to alter the password expiry for users inside the admin. Could you add the PasswordExpiry model to the admin?

Django says LOGIN_URL can be a URL or a named URL pattern, but LoginRequiredMiddleware assumes that it is a URL so named URL patterns don't work. I think this could be fixed by running the URL through resolve_url before redirecting.

I really like the all-in-one convenience of django-security, but the SessionSecurityMiddleware implementation lacks the client-side keep-alive available in django-session-security. The keep-alive is important to us because our product is used to guide a conversation with a customer so our users are often "active" on a page without server-side interaction.

Any interest adding a keep-alive feature to django-security? If so, what approach would you prefer? The licenses look compatible so it seems like any of the following would work:

• Replace SessionSecurityMiddleware with the django-session-security implementation
• Port the JS code to SessionSecurityMiddleware
• Include both in django-security

Hi, I've created a subclass of ContentSecurityPolicyMiddleware and an accompanying template context processor so I can do:

<script type="text/javascript" nonce="{{ csp_nonce }}">
</script>

Is there any interest in this? If so I can make a PR.

Thanks!

I'd like to migrate to django-security, unfortunately this means two things need to happen (in my codebase/environment, or in the larger project...somewhere)

Currently, with the password expiry middleware enabled, we'll create new PasswordExpiry objects for each user when my tests are run. because auto_now_add=True on PasswordExpiry.password_expiry_date this means that many of my view-based integration tests are failing because all users that get created via models also get their password expired.

If instead of auto_now_add=True there were a default that checked a setting, this could be configurable per installation.

This would save me from re-writing several hundred tests in order to implement this feature, and it would ease the transition into production for my current project.

CSP standard supports continuous integration thanks to separation of Content-Security-Policy and Content-Security-Policy-Report-Only headers that can coexist simultaneously. This way policies can slowly and gradually make their way from report-only to enforcement mode, and it is not that painful to support sites with continuous development and content structure changing overtime.

django-security currently only supports an exclusive selection of enforcement vs. report-only mode, but not both at the same time. This is a huge limitation in all practical deployments; it would be great to support this.

I am using https://pypi.org/project/schemathesis/ to smoke test a Django DRF API, and find that NULL is frequently causing problems.

I have run into NULL in

• headers Styria-Digital/django-rest-framework-jwt#70 , also oauth2_provider and social-auth2, but I havent raise bugs yet, as I plan to remove those anyway.
• URL percent encoding paths django-oscar/django-oscar-api#226

It seems like something this app might detect and prevent at a higher level, rather than every single app needing to have dedicated null detection, or try/except everywhere to reply with an error blaming the client instead of a server error. Obviously a dedicated frontend processor doing packet analysis is the best approach, but it seems there is room for a simpler solution within Django that could reach the 80/20 rule.

If there are other more suitable projects for active abuse detection in django, I'd be glad to be redirected elsewhere.

The security/urls.py needs updating.

from django.conf.urls import patterns, url

from security import views


urlpatterns = patterns(
    '',
    url('^/csp-report/$', views.csp_report),
)

Should be:

import django
from django.conf.urls import url

from security import views


if django.VERSION >= (1, 8):
    urlpatterns = [
        url('^/csp-report/$', views.csp_report),
    ]
else:
    from django.conf.urls import patterns
    urlpatterns = patterns(
        '',
        url('^/csp-report/$', views.csp_report),
    )

https://django-security.readthedocs.io/en/latest/#security.middleware.ClearSiteDataMiddleware

Looks like the RTD docs didn't get regenerated during the last release:

Thanks for the library!

After just the basic setup from readme this warning is shown. No extra steps are required.

WARNINGS:
security.PasswordExpiry.user: (fields.W342) Setting unique=True on a ForeignKey has the same effect as using a OneToOneField.
HINT: ForeignKey(unique=True) is usually better served by a OneToOneField.

I'm using Django 2.0.2. Since Django 2.x, on_delete is a required argument: https://docs.djangoproject.com/en/2.0/ref/models/fields/#django.db.models.ForeignKey.on_delete

I'm getting the following stack trace when I attempt to instal django-security:

    Unhandled exception in thread started by <function check_errors.<locals>.wrapper at 0x10520c7b8>
Traceback (most recent call last):
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/django/utils/autoreload.py", line 225, in wrapper
    fn(*args, **kwargs)
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/django/core/management/commands/runserver.py", line 113, in inner_run
    autoreload.raise_last_exception()
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/django/utils/autoreload.py", line 248, in raise_last_exception
    raise _exception[1]
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/django/core/management/__init__.py", line 327, in execute
    autoreload.check_errors(django.setup)()
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/django/utils/autoreload.py", line 225, in wrapper
    fn(*args, **kwargs)
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/django/apps/registry.py", line 112, in populate
    app_config.import_models()
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/django/apps/config.py", line 198, in import_models
    self.models_module = import_module(models_module_name)
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/security/models.py", line 14, in <module>
    class PasswordExpiry(models.Model):
  File "/Users/nina/Documents/Sites/project-name/venv/lib/python3.6/site-packages/security/models.py", line 27, in PasswordExpiry
    user = models.ForeignKey(USER_MODEL, unique=True)
TypeError: __init__() missing 1 required positional argument: 'on_delete'

The keys you can supply to memcache have a maximum length of 255 characters. This makes them too short to store a username and IP address. (The username can be 255 characters itself.) I'm not sure what the best way to get around this is. We could store a (truncated) hash of the username, perhaps?

In the latest Django 1.8 + it is not necessary to pass strings as byte arrays in migrations.

This appears to be a legacy code. And because of this, Django's checks for migrations identifies that migrations need to be created, where in fact nothing has changed.

When the user's browser is IE (NOT Edge),
the CSP header should be X-Content-Security-Policy instead of Content-Security-Policy.

Both headers can not be set at the same time, as it will cause unexpected behaviours on certain versions of browsers.

A model CspReport was added some time ago to the project, but it wasn't included in the migrations that build the tables for django-security. We haven't noticed the issue since we currently don't use this middleware, but it's going to cause anyone who does issues.

We'll need to run a schemamigration and add the generated migration to the project.