Hopiu/django-axes
1
0
Fork 0
mirror of https://github.com/jazzband/django-axes.git synced 2026-03-16 22:30:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add security check (W006) for missing ip_address in lockout params

Browse source
This commit is contained in:
shayan taki 2025-12-08 05:31:16 -08:00 committed by Aleksi Häkli
parent 88827c381e
commit 3f6e773f7d
1 changed files with 35 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
axes/checks.py
View file

@ -22,6 +22,10 @@ class Messages:
BACKEND_INVALID = "You do not have 'axes.backends.AxesStandaloneBackend' or a subclass in your settings.AUTHENTICATION_BACKENDS." BACKEND_INVALID = "You do not have 'axes.backends.AxesStandaloneBackend' or a subclass in your settings.AUTHENTICATION_BACKENDS."
SETTING_DEPRECATED = "You have a deprecated setting {deprecated_setting} configured in your project settings" SETTING_DEPRECATED = "You have a deprecated setting {deprecated_setting} configured in your project settings"
CALLABLE_INVALID = "{callable_setting} is not a valid callable." CALLABLE_INVALID = "{callable_setting} is not a valid callable."
LOCKOUT_PARAMETERS_INVALID = (
"AXES_LOCKOUT_PARAMETERS does not contain 'ip_address'."
" This configuration allows attackers to bypass rate limits by rotating User-Agents or Cookies."
)
class Hints: class Hints:
@ -30,6 +34,7 @@ class Hints:
BACKEND_INVALID = "AxesModelBackend was renamed to AxesStandaloneBackend in django-axes version 5.0." BACKEND_INVALID = "AxesModelBackend was renamed to AxesStandaloneBackend in django-axes version 5.0."
SETTING_DEPRECATED = None SETTING_DEPRECATED = None
CALLABLE_INVALID = None CALLABLE_INVALID = None
LOCKOUT_PARAMETERS_INVALID = "Add 'ip_address' to AXES_LOCKOUT_PARAMETERS."
class Codes: class Codes:
@ -38,6 +43,7 @@ class Codes:
BACKEND_INVALID = "axes.W003" BACKEND_INVALID = "axes.W003"
SETTING_DEPRECATED = "axes.W004" SETTING_DEPRECATED = "axes.W004"
CALLABLE_INVALID = "axes.W005" CALLABLE_INVALID = "axes.W005"
LOCKOUT_PARAMETERS_INVALID = "axes.W006"
@register(Tags.security, Tags.caches, Tags.compatibility) @register(Tags.security, Tags.caches, Tags.compatibility)
@ -158,6 +164,34 @@ def axes_deprecation_check(app_configs, **kwargs): # pylint: disable=unused-arg
return warnings return warnings
@register(Tags.security)
def axes_lockout_params_check(app_configs, **kwargs): # pylint: disable=unused-argument
warnings = []
lockout_params = getattr(settings, "AXES_LOCKOUT_PARAMETERS", None)
if isinstance(lockout_params, (list, tuple)):
has_ip = False
for param in lockout_params:
if param == "ip_address":
has_ip = True
break
if isinstance(param, (list, tuple)) and "ip_address" in param:
has_ip = True
break
if not has_ip:
warnings.append(
Warning(
msg=Messages.LOCKOUT_PARAMETERS_INVALID,
hint=Hints.LOCKOUT_PARAMETERS_INVALID,
id=Codes.LOCKOUT_PARAMETERS_INVALID,
)
)
return warnings
@register @register
def axes_conf_check(app_configs, **kwargs): # pylint: disable=unused-argument def axes_conf_check(app_configs, **kwargs): # pylint: disable=unused-argument
warnings = [] warnings = []
@ -201,4 +235,4 @@ def is_valid_callable(value) -> bool:
except ImportError: except ImportError:
return False return False
return True return True