From fed5eb31d3d37ff84d49fddfd4991d4d5884d7a9 Mon Sep 17 00:00:00 2001 From: Eddy Harrington Date: Mon, 29 Mar 2021 14:02:45 -0700 Subject: [PATCH] Add CSRF protection --- app.py | 15 +++++++++++++++ templates/account.html | 5 +++++ templates/addexpenses.html | 1 + templates/budgets.html | 1 + templates/categories.html | 3 +++ templates/createbudget.html | 1 + templates/expensehistory.html | 1 + templates/index.html | 1 + templates/login.html | 1 + templates/register.html | 1 + templates/updatebudget.html | 1 + 11 files changed, 31 insertions(+) diff --git a/app.py b/app.py index e4bd483..95756d4 100644 --- a/app.py +++ b/app.py @@ -18,6 +18,7 @@ from werkzeug.exceptions import default_exceptions, HTTPException, InternalServerError from werkzeug.security import check_password_hash, generate_password_hash from datetime import datetime +from flask_wtf.csrf import CSRFProtect from helpers import apology, login_required, usd @@ -47,6 +48,8 @@ def after_request(response): # Custom filter app.jinja_env.filters["usd"] = usd +# Enable CSRF protection globally for the Flask app +csrf = CSRFProtect(app) # Create engine object to manage connections to DB, and scoped session to separate user interactions with DB engine = create_engine(os.getenv("DATABASE_URL")) @@ -222,6 +225,9 @@ def index(): # Get all of the expenses provided from the HTML form formData = list(request.form.items()) + # Remove CSRF field from form data before processing + formData.pop(0) + # Add expenses to the DB for user expenses = tendie_expenses.addExpenses(formData, session["user_id"]) @@ -247,6 +253,9 @@ def addexpenses(): # Get all of the expenses provided from the HTML form formData = list(request.form.items()) + # Remove CSRF field from form data before processing + formData.pop(0) + # Add expenses to the DB for user expenses = tendie_expenses.addExpenses(formData, session["user_id"]) @@ -404,6 +413,9 @@ def createbudget(): # Get all of the budget info provided from the HTML form formData = list(request.form.items()) + # Remove CSRF field from form data before processing + formData.pop(0) + # Generate data structure to hold budget info from form budgetDict = tendie_budgets.generateBudgetFromForm(formData) @@ -442,6 +454,9 @@ def updatebudget(urlvar_budgetname): # Get all of the budget info provided from the HTML form formData = list(request.form.items()) + # Remove CSRF field from form data before processing + formData.pop(0) + # Generate data structure to hold budget info from form budgetDict = tendie_budgets.generateBudgetFromForm(formData) diff --git a/templates/account.html b/templates/account.html index 03dc41f..f8006a6 100644 --- a/templates/account.html +++ b/templates/account.html @@ -43,6 +43,7 @@
Income
+
@@ -64,6 +65,7 @@
Payers
+
@@ -101,6 +103,7 @@
Password
+
@@ -144,6 +147,7 @@