Julien Delange • Monday, January 23, 2023
AUTHOR
JD
Julien Delange, Founder and CEO
Julien is the CEO of Codiga. Before starting Codiga, Julien was a software engineer at Twitter and Amazon Web Services.
Julien has a PhD in computer science from Universite Pierre et Marie Curie in Paris, France.
What is Django?
If you are new to Python or never developed a web application or web-service in Python, Django is a high-level Python web framework that enables the rapid development of secure and maintainable websites. It follows the model-view-controller (MVC) architectural pattern and encourages the use of reusable code.
Django provides a built-in administration panel, an Object-Relational Mapping (ORM) system to interact with databases, and a template engine for rendering dynamic web pages. Django also includes built-in support for user authentication, URL routing, and form handling. It also has a large and active community that continuously develops and maintains a variety of packages and libraries that can be easily integrated into a Django project.
Django is widely used for building all types of web applications, from simple websites to complex, data-intensive applications. It's popular among developers for its flexibility, scalability and the ease of use.
In short: Django is popular. But using Django does not guarantee you to build a safe application.
What are the main Django vulnerabilities?
Some of the main security issues with Django include:
- SQL injection: Django's ORM (Object-Relational Mapping) can prevent some types of SQL injection, but it is not foolproof. Care should be taken to properly escape any user-supplied input when creating SQL queries. You can check our previous blog post to prevent SQL injections. This is also known as CWE-89: SQL Injection.
- Cross-site scripting (XSS): Django's template engine automatically escapes any data that is displayed on a page, but it is still possible to create a vulnerability if user-supplied data is included in a JavaScript script, for example.
- Cross-site request forgery (CSRF): Django includes protection against CSRF by default, but this protection can be bypassed if the developer is not careful.
- File upload vulnerabilities: If an application allows users to upload files, it is important to properly validate the files to prevent malicious code from being executed on the server.
- File disclosure vulnerabilities: Developers should ensure that any files that are not intended to be publicly accessible are properly protected from unauthorized access.
- Improper Input Validation: Developers do not check inputs from the user, which leads to potential injections of code in the template. This is commonly referred to the CWE-20: Improper Input Validation.
It's worth noting that these are all common web application security issues and not specific to Django, and also by following best practices and keeping your version of Django up-to-date, you can mitigate many of these risks.
Example of an application vulnerability with Django
One example of a vulnerability is the open redirect that redirects the browser to an unwanted address. This vulnerability is detected by the rule python-django/safe-redirect and we explain the vulnerability below.
Consider the following code.
def set_location_header(request):
url = request.GET.get("next", "/")
response = HttpResponse(status=302)
response['Location'] = url
return response
- At line 2 (
url = ...), we extract parameters from the request sent by the user. - At line 4, we set the redirect location to the variable retrieved at line 2
In other words, the redirection address is defined by the request parameters. An attacker could potentially send a bad address and redirect users to unwanted URLs, causing harm to the original website.
To avoid such a bug, the user should verify that the content from the request is valid and the redirection is correct.
This vulnerability is detected by the python-django/safe-redirect rule in the python-django Codiga ruleset.
How to build secure Django applications?
Codiga provides native support for Django with generic security rules to detect SQL injections and more than 20+ rules specific to Django itself.
To check your Django code, along with many other good coding practices, add a codiga.yml file at the root of your project with the following content:
rulesets:
- python-security
- python-django
You can also just invoke the following command at the root of your repository:
npx @codiga/cli ruleset-add python-security python-django
Codiga checks your code at each step of the development lifecycle:
- When you write code in VS Code, JetBrains or VisualStudio
- Before you push code using a pre-push hook
- When doing a pull request or after pushing using the Codiga platform