Adding CSRF Validation for schemas (#15027)

* Adding CSRF Validation for schemas * Changing retrieve of scheme to avoid importing new library * check if CSRF_TRUSTED_ORIGINS exists before accessing it --------- Signed-off-by: Bruno Sanchez <brsanche@redhat.com>
2026-01-10 15:32:07 -03:30 · 2024-04-24 20:47:03 +01:00 · 2024-04-24 20:47:03 +01:00 · 7dc77546f4
commit 7dc77546f4
parent f5f85666c8
2 changed files with 25 additions and 1 deletions
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@ -2,6 +2,7 @@
 import logging

 # Django
+from django.core.checks import Error
 from django.utils.translation import gettext_lazy as _

 # Django REST Framework
@ -954,3 +955,27 @@ def logging_validate(serializer, attrs):


 register_validate('logging', logging_validate)
+
+
+def csrf_trusted_origins_validate(serializer, attrs):
+    if not serializer.instance or not hasattr(serializer.instance, 'CSRF_TRUSTED_ORIGINS'):
+        return attrs
+    if 'CSRF_TRUSTED_ORIGINS' not in attrs:
+        return attrs
+    errors = []
+    for origin in attrs['CSRF_TRUSTED_ORIGINS']:
+        if "://" not in origin:
+            errors.append(
+                Error(
+                    "As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS "
+                    "setting must start with a scheme (usually http:// or "
+                    "https://) but found %s. See the release notes for details." % origin,
+                )
+            )
+    if errors:
+        error_messages = [error.msg for error in errors]
+        raise serializers.ValidationError(_('\n'.join(error_messages)))
+    return attrs
+
+
+register_validate('system', csrf_trusted_origins_validate)
--- a/awx/main/migrations/0190_alter_inventorysource_source_and_more.py
+++ b/awx/main/migrations/0190_alter_inventorysource_source_and_more.py
@ -4,7 +4,6 @@ from django.db import migrations, models


 class Migration(migrations.Migration):
-
    dependencies = [
        ('main', '0189_inbound_hop_nodes'),
    ]