CRITICAL
Rule Definition
When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
Remediation
CSRF protection is enabled by default in fastapi_jwt_auth, do not disable it with the configuration parameter authjwt_cookie_csrf_protect.
Violation Code Sample
from fastapi import FastAPI
from fastapi_jwt_auth import AuthJWT
from pydantic import BaseModel
class Settings(BaseModel):
authjwt_cookie_csrf_protect: bool = False <--- violation
authjwt_secret_key: str = "xyz"
...
# callback to get your configuration
@AuthJWT.load_config
def get_config():
return Settings()
app = FastAPI()
...
Fixed Code Sample
from fastapi import FastAPI
from fastapi_jwt_auth import AuthJWT
from pydantic import BaseModel
class Settings(BaseModel):
# By default, authjwt_cookie_csrf_protect is True
authjwt_secret_key: str = "xyz"
...
# callback to get your configuration
@AuthJWT.load_config
def get_config():
return Settings()
app = FastAPI()
...
Reference
CWE-352: Cross-Site Request Forgery (CSRF)
https://cwe.mitre.org/data/definitions/352.html
OWASP Top 10:2021 - A01:2021 – Broken Access Control
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
Related Technologies
Technical Criterion
CWE-352 - Cross-Site Request Forgery (CSRF)
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.