|
| 1 | +--- |
| 2 | +description: Generates secure Python/Django code inherently preventing top security weaknesses, adhering to OWASP ASVS and avoiding common CWEs. |
| 3 | +globs: **/*.py |
| 4 | +alwaysApply: false |
| 5 | +--- |
| 6 | + |
| 7 | +# Secure Python/Django Code Generation Rules |
| 8 | + |
| 9 | +As a security-aware developer, generate secure Python code using Django that inherently prevents top security weaknesses. Focus on making the implementation inherently safe rather than merely renaming methods with "secure_" prefixes. Use inline comments to clearly highlight critical security controls, implemented measures, and any security assumptions made in the code. Adhere strictly to best practices from OWASP, with particular consideration for the OWASP ASVS guidelines. Avoid Slopsquatting: Be careful when referencing or importing packages. Do not guess if a package exists. Comment on any low reputation or uncommon packages you have included. |
| 10 | + |
| 11 | +### CWE-79: Cross-Site Scripting (XSS) |
| 12 | +**Summary:** Untrusted data is rendered in a web page without proper sanitization, leading to malicious script execution in the user's browser. |
| 13 | +**Mitigation Rule:** Always use Django's template engine's auto-escaping feature for all user-supplied data displayed in templates. If raw HTML must be rendered, use Django's `mark_safe` function only after strict sanitization with a dedicated library like `bleach`. |
| 14 | + |
| 15 | +### CWE-89: SQL Injection |
| 16 | +**Summary:** Untrusted input is used to construct SQL queries, allowing an attacker to alter the query's intent or execute arbitrary database commands. |
| 17 | +**Mitigation Rule:** Exclusively use Django's Object-Relational Mapper (ORM) QuerySet API for all database interactions. Avoid raw SQL queries; if absolutely necessary, use Django's `connection.cursor().execute()` with parameterized queries to prevent injection. |
| 18 | + |
| 19 | +### CWE-200: Exposure of Sensitive Information |
| 20 | +**Summary:** Sensitive information such as personally identifiable data, credentials, or system details is disclosed to an unauthorized actor. |
| 21 | +**Mitigation Rule:** Implement robust access controls using Django's permission system and `login_required` decorator. Ensure all communication uses HTTPS. Filter sensitive data from API responses, logs, and error messages. Avoid verbose error messages in production environments. |
| 22 | + |
| 23 | +### CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| 24 | +**Summary:** Untrusted input is used to access files outside an intended directory, potentially allowing access to sensitive system files. |
| 25 | +**Mitigation Rule:** Strictly validate and sanitize all user-supplied file paths. Use `os.path.abspath` and `os.path.normpath` in conjunction with `os.path.commonpath` to ensure that resolved paths remain within an explicitly defined, trusted base directory for file operations. Store uploaded files in non-executable directories. |
| 26 | + |
| 27 | +### CWE-352: Cross-Site Request Forgery (CSRF) |
| 28 | +**Summary:** An attacker induces a victim to perform an unintended action on a web application where they are authenticated. |
| 29 | +**Mitigation Rule:** Ensure all state-changing HTTP methods (POST, PUT, DELETE) in Django views and forms include and validate the `csrf_token` through Django's built-in `CsrfViewMiddleware` and `{% csrf_token %}` template tag. |
| 30 | + |
| 31 | +### CWE-502: Deserialization of Untrusted Data |
| 32 | +**Summary:** Deserializing data from an untrusted source can lead to arbitrary code execution, denial of service, or other vulnerabilities. |
| 33 | +**Mitigation Rule:** Never deserialize untrusted data using unsafe formats or functions like `pickle`. If deserialization is required, use secure formats like JSON and `json.loads`, ensuring no arbitrary code execution is possible through the deserialized content. |
| 34 | + |
| 35 | +### CWE-798: Use of Hard-coded Credentials |
| 36 | +**Summary:** Sensitive data such as passwords, API keys, or encryption keys are directly embedded within the source code, making them easily discoverable. |
| 37 | +**Mitigation Rule:** All secrets, including database credentials, API keys, and private keys, must be loaded from environment variables using libraries like `python-decouple` or `django-environ`, or from a secure secrets management service (e.g., HashiCorp Vault, AWS Secrets Manager). Never hardcode secrets in the codebase or commit them to version control. |
0 commit comments