python: allow alternative middleware

yoff · yoff · commit 93336bcb16ce · 2022-03-23T12:27:51.000+01:00
(observed [on LGTM](https://lgtm.com/projects/g/mozilla/mozillians/snapshot/9d6a7ee180addf7652fce96c21bafbad14d1dda7/files/mozillians/settings.py?sort=name&dir=ASC&mode=heatmap#L96))
diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -2340,7 +2340,12 @@ module PrivateDjango {
     }
 
     override boolean getVerificationSetting() {
-      if list.getAnElt().(StrConst).getText() = "django.middleware.csrf.CsrfViewMiddleware"
+      if
+        list.getAnElt().(StrConst).getText() in [
+            "django.middleware.csrf.CsrfViewMiddleware",
+            // see https://github.com/mozilla/django-session-csrf
+            "session_csrf.CsrfMiddleware"
+          ]
       then result = true
       else result = false
     }

Original file line number	Diff line number	Diff line change
`@@ -2340,7 +2340,12 @@ module PrivateDjango {`
`2340`	`2340`	`}`
`2341`	`2341`
`2342`	`2342`	`override boolean getVerificationSetting() {`
`2343`		`- if list.getAnElt().(StrConst).getText() = "django.middleware.csrf.CsrfViewMiddleware"`
	`2343`	`+ if`
	`2344`	`+ list.getAnElt().(StrConst).getText() in [`
	`2345`	`+ "django.middleware.csrf.CsrfViewMiddleware",`
	`2346`	`+ // see https://github.com/mozilla/django-session-csrf`
	`2347`	`+ "session_csrf.CsrfMiddleware"`
	`2348`	`+ ]`
`2344`	`2349`	`then result = true`
`2345`	`2350`	`else result = false`
`2346`	`2351`	`}`