python: CSRF -> Csrf

Author: yoff

python/ql/lib/semmle/python/Concepts.qll

@@ -110,9 +110,9 @@ module FileSystemWriteAccess {
  * in a global manner.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `CSRFProtectionSetting::Range` instead.
+ * extend `CsrfProtectionSetting::Range` instead.
  */
-class CSRFProtectionSetting extends DataFlow::Node instanceof CSRFProtectionSetting::Range {
+class CsrfProtectionSetting extends DataFlow::Node instanceof CsrfProtectionSetting::Range {
   /**
    * Gets the boolean value corresponding to if CSRF protection is enabled
    * (`true`) or disabled (`false`) by this node.
@@ -121,13 +121,13 @@ class CSRFProtectionSetting extends DataFlow::Node instanceof CSRFProtectionSett
 }
 
 /** Provides a class for modeling new CSRF protection setting APIs. */
-module CSRFProtectionSetting {
+module CsrfProtectionSetting {
   /**
    * A data-flow node that may set or unset Cross-site request forgery protection
    * in a global manner.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `CSRFProtectionSetting` instead.
+   * extend `CsrfProtectionSetting` instead.
    */
   abstract class Range extends DataFlow::Node {
     /**
@@ -143,9 +143,9 @@ module CSRFProtectionSetting {
  * for a specific part of an application.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `CSRFProtection::Range` instead.
+ * extend `CsrfLocalProtection::Range` instead.
  */
-class CSRFProtection extends DataFlow::Node instanceof CSRFProtection::Range {
+class CsrfLocalProtection extends DataFlow::Node instanceof CsrfLocalProtection::Range {
   /**
    * Gets a `Function` representing the protected interaction
    * (probably a request handler).
@@ -154,13 +154,13 @@ class CSRFProtection extends DataFlow::Node instanceof CSRFProtection::Range {
 }
 
 /** Provides a class for modeling new CSRF protection setting APIs. */
-module CSRFProtection {
+module CsrfLocalProtection {
   /**
    * A data-flow node that provides Cross-site request forgery protection
    * for a specific part of an application.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `CSRFProtection` instead.
+   * extend `CsrfLocalProtection` instead.
    */
   abstract class Range extends DataFlow::Node {
     /**

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2320,7 +2320,7 @@ module PrivateDjango {
   /**
    * A custom middleware stack
    */
-  private class DjangoSettingsMiddlewareStack extends CSRFProtectionSetting::Range {
+  private class DjangoSettingsMiddlewareStack extends CsrfProtectionSetting::Range {
     List list;
 
     DjangoSettingsMiddlewareStack() {
@@ -2345,21 +2345,21 @@ module PrivateDjango {
       else result = false
     }
   }
-}
 
-private class DjangoCSRFDecorator extends CSRFProtection::Range {
-  Function function;
-
-  DjangoCSRFDecorator() {
-    this =
-      API::moduleImport("django")
-          .getMember("views")
-          .getMember("decorators")
-          .getMember("csrf")
-          .getMember("csrf_protect")
-          .getAUse() and
-    this.asExpr() = function.getADecorator()
-  }
+  private class DjangoCsrfDecorator extends CsrfLocalProtection::Range {
+    Function function;
 
-  override Function getProtected() { result = function }
+    DjangoCsrfDecorator() {
+      this =
+        API::moduleImport("django")
+            .getMember("views")
+            .getMember("decorators")
+            .getMember("csrf")
+            .getMember("csrf_protect")
+            .getAUse() and
+      this.asExpr() = function.getADecorator()
+    }
+
+    override Function getProtected() { result = function }
+  }
 }

python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql

@@ -14,10 +14,10 @@
 import python
 import semmle.python.Concepts
 
-from CSRFProtectionSetting s
+from CsrfProtectionSetting s
 where
   s.getVerificationSetting() = false and
-  not exists(CSRFProtection p) and
+  not exists(CsrfLocalProtection p) and
   // rule out test code as this is a common place to turn off CSRF protection
   not s.getLocation().getFile().getAbsolutePath().matches("%test%")
 select s, "Potential CSRF vulnerability due to forgery protection being disabled or weakened."