XCG security middleware for Django to defend against SSRF attacks.
Project description
govtech-csg-xcg-dangerousrequests
This package belongs to the eXtended Code Guardrails (XCG) project, which consists of a series of packages that harden the Django web framework to prevent common web application vulnerabilities.
The Dangerous Requests package contains a Django app that protects your application against dangerous requests. More specifically, this package protects against SSRF attempts when you use the requests
library in your application. This is achieved by (transparently) leveraging on the advocate
library under the hood.
Do note that the README in this repository is intentionally limited in scope and is catered towards developers. For detailed instructions on installation, usage, and community guidelines, please refer to the published documentation at https://xcg.tech.gov.sg.
Security-related matters
For instructions on how to report a vulnerability, refer to the official documentation website.
Additionally, enable email alerts for security issues by "watching" this repository. The "watch" button can be found near the top right corner of this repo's home page, and there are various options for configuring notification volume. To receive security alerts, either enable notifications for "All Activity" or "Custom -> Security alerts".
Installing development dependencies
Before building or testing the package, or committing changes, install the development dependencies into a virtual environment:
# In the project root directory
python -m venv .venv && source .venv/bin/activate
pip install -r requirements-dev.txt
Building
The package can be built using build
as the build frontend and setuptools
as the build backend.
Run the build command below:
# In the project root directory
python -m build .
This creates a directory named dist/
, which should contain 2 files:
- A
.whl
(wheel) file, which is a binary distribution format for Python packages - A
.tar.gz
file, which is a source distribution format for Python packages
To view the source files included in the source distribution, use the tar
utility as follows:
tar --list -f dist/<filename>.tar.gz
To install the package directly from either distribution files:
pip install <name_of_distribution_file>
Testing
As the tests for this package use multiple variants of the Django settings module, a convenience script has been provided for ease of running all test methods. Execute the tests using the commands below:
pip install -e . # Performs an "editable install" of the govtech-csg-xcg-dangerousrequests package
cd tests/
DANGEROUS_REQUESTS_RUN_FLAKY_TESTS=true /bin/bash run_all_tests.sh
Note on potentially flaky tests
There are a few test methods within the test suite that make HTTP requests over the internet. These are non-ideal from an automated testing perspective as they can fail intermittently due to issues such as network error.
Until these are replaced with better means of testing, developers can choose to skip those tests by dropping DANGEROUS_REQUESTS_RUN_FLAKY_TESTS=true
from the command given above.
Running pre-commit hooks
Note: This section is only relevant if you intend to contribute code
This project uses the pre-commit
tool to run Git pre-commit hooks for linting and code quality checks. The pre-commit
tool itself should have been installed along with the development dependencies. After cloning the repository for the first time, run the command below to "install" the Git hooks:
pre-commit install
The command above creates a file .git/hooks/pre-commit
, which defines the shell commands to run before any Git commit is created.
Subsequently, any invocation of git commit
will trigger the commands, rejecting the commit if there are linting errors. Issues should be automatically fixed, but you will need to re-stage the changes before attempting the commit again.
For a list of hooks run by pre-commit
, see its configuration file.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for govtech-csg-xcg-dangerousrequests-0.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 91c51c19970da1e98cd1c774ca16bf20a916fbb7491090bb7465b59d641eea02 |
|
MD5 | be066ee97b15ee41ac67cfa82ee939b6 |
|
BLAKE2b-256 | 4faaf48192c9cd79d57be559c4dc04e15231f607143fa93b1756d880c9068002 |
Hashes for govtech_csg_xcg_dangerousrequests-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9f1b268112828801daf75d8f20af6689bcc78c32db5b01561d91cbec3208948a |
|
MD5 | 0ec1975934ba6667ebb24d384358ffbc |
|
BLAKE2b-256 | f94be275e95eac2a6178b57fa0410494f02746717abf6f33fb338267cd51f604 |