[Django] #34695: security.E101 false positive with class-based views

35 views
Skip to first unread message

Django

unread,
Jul 5, 2023, 12:47:32 PM7/5/23
to django-...@googlegroups.com
#34695: security.E101 false positive with class-based views
-----------------------------------------+------------------------
Reporter: asottile | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 4.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
minimal example

{{{
class MyView(View):
def dispatch(self, request, reason=''):
...

view = MyView.as_view()
}}}

though this appears to work at runtime (at least in unsupported django 2.2
which is what I'm trying to upgrade from), the framework gives an error:

{{{
ERRORS:
?: (security.E101) The CSRF failure view 'myview.view' does not take the
correct number of arguments.
}}}

the reason stems from the use of `inspect.signature` on the view:

{{{
>>> sig = inspect.signature(view)
>>> sig
<Signature (self, request, reason='')>
>>> sig.bind(None, reason=None)
Traceback (most recent call last):
File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/code.py",
line 90, in runcode
exec(code, self.locals)
File "<console>", line 1, in <module>
File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/inspect.py",
line 3037, in bind
return self._bind(args, kwargs)
File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/inspect.py",
line 2952, in _bind
raise TypeError(msg) from None
TypeError: missing a required argument: 'request'
}}}

https://github.com/django/django/blob/649262a406168709686f97694493aa1f717c6c96/django/core/checks/security/csrf.py#L60

--
Ticket URL: <https://code.djangoproject.com/ticket/34695>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Jul 5, 2023, 12:56:48 PM7/5/23
to django-...@googlegroups.com
#34695: security.E101 false positive with class-based views
-------------------------------------+-------------------------------------
Reporter: asottile | Owner: nobody
Type: Bug | Status: new
Component: Core (System | Version: 4.2
checks) |
Severity: Normal | Resolution:

Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by asottile):

* type: Uncategorized => Bug
* component: Uncategorized => Core (System checks)


--
Ticket URL: <https://code.djangoproject.com/ticket/34695#comment:1>

Django

unread,
Jul 5, 2023, 1:41:06 PM7/5/23
to django-...@googlegroups.com
#34695: security.E101 false positive with class-based views
-------------------------------------+-------------------------------------
Reporter: Anthony Sottile | Owner: nobody

Type: Bug | Status: new
Component: Core (System | Version: 4.2
checks) |
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak):

As far as I'm aware, `CSRF_FAILURE_VIEW` doesn't support class-based
views, at least officially, check out
[https://docs.djangoproject.com/en/stable/ref/settings/#csrf-failure-view
docs]:

''"A dotted path to the **view function** to be used when an incoming
request is rejected by the CSRF protection. The function should have this
signature:"''

--
Ticket URL: <https://code.djangoproject.com/ticket/34695#comment:2>

Django

unread,
Jul 5, 2023, 2:03:49 PM7/5/23
to django-...@googlegroups.com
#34695: security.E101 false positive with class-based views
-------------------------------------+-------------------------------------
Reporter: asottile | Owner: nobody
Type: Bug | Status: closed

Component: Core (System | Version: 4.2
checks) | Resolution:
Severity: Normal | worksforme

Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* status: new => closed
* resolution: => worksforme


Comment:

Also, it works for me with Django 4.2 and on the current `main` branch.
I've checked with Python 3.8 and 3.10.

--
Ticket URL: <https://code.djangoproject.com/ticket/34695#comment:3>

Django

unread,
Jul 5, 2023, 2:34:18 PM7/5/23
to django-...@googlegroups.com
#34695: security.E101 false positive with class-based views
-------------------------------------+-------------------------------------
Reporter: Anthony Sottile | Owner: nobody

Type: Bug | Status: closed
Component: Core (System | Version: 4.2
checks) | Resolution:
Severity: Normal | worksforme
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak):

Check out [https://github.com/django/django/pull/17047 PR].

--
Ticket URL: <https://code.djangoproject.com/ticket/34695#comment:4>

Django

unread,
Jul 11, 2023, 4:46:44 AM7/11/23
to django-...@googlegroups.com
#34695: security.E101 false positive with class-based views
-------------------------------------+-------------------------------------
Reporter: Anthony Sottile | Owner: nobody
Type: Bug | Status: closed
Component: Core (System | Version: 4.2
checks) | Resolution:
Severity: Normal | worksforme
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by GitHub <noreply@…>):

In [changeset:"c7276a9cb97e8581faccb6c66a6a490e2d400c07" c7276a9c]:
{{{
#!CommitTicketReference repository=""
revision="c7276a9cb97e8581faccb6c66a6a490e2d400c07"
Refs #34695 -- Added tests for check for CSRF_FAILURE_VIEW signature with
valid class-based view.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/34695#comment:5>

Reply all
Reply to author
Forward
0 new messages