getsentry · untitaker · Aug 19, 2020 · Aug 18, 2020 · Aug 18, 2020 · Aug 18, 2020
@@ -1,6 +1,6 @@
 from sentry_sdk.hub import Hub
 from sentry_sdk._types import MYPY
-from sentry_sdk._functools import wraps
+from sentry_sdk import _functools
 
 if MYPY:
     from typing import Any
@@ -43,7 +43,20 @@ def _wrap_resolver_match(hub, resolver_match):
 
     old_callback = resolver_match.func
 
-    @wraps(old_callback)
+    # Explicitly forward `csrf_exempt` in case it is not an attribute in
+    # callback.__dict__, but rather a class attribute (on a class
+    # implementing __call__) such as this:
+    #
+    #     class Foo(object):
+    #         csrf_exempt = True
+    #
+    #         def __call__(self, request): ...
+    #
+    # We have had this in the Sentry codebase (for no good reason, but
+    # nevertheless we broke user code)
+    assigned = _functools.WRAPPER_ASSIGNMENTS + ("csrf_exempt",)
+
+    @_functools.wraps(old_callback, assigned=assigned)
     def callback(*args, **kwargs):
         # type: (*Any, **Any) -> Any
         with hub.start_span(op="django.view", description=resolver_match.view_name):

@@ -76,6 +76,7 @@ def middleware(request):
 MIDDLEWARE_CLASSES = [
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
     "tests.integrations.django.myapp.settings.TestMiddleware",
 ]
 

@@ -18,7 +18,11 @@
 try:
     from django.urls import path
 except ImportError:
-    from django.conf.urls import url as path
+    from django.conf.urls import url
+
+    def path(path, *args, **kwargs):
+        return url("^{}$".format(path), *args, **kwargs)
+
 
 from . import views
 
@@ -33,13 +37,24 @@
     path("message", views.message, name="message"),
     path("mylogin", views.mylogin, name="mylogin"),
     path("classbased", views.ClassBasedView.as_view(), name="classbased"),
+    path("sentryclass", views.SentryClassBasedView(), name="sentryclass"),
+    path(
+        "sentryclass-csrf",
+        views.SentryClassBasedViewWithCsrf(),
+        name="sentryclass_csrf",
+    ),
     path("post-echo", views.post_echo, name="post_echo"),
     path("template-exc", views.template_exc, name="template_exc"),
     path(
         "permission-denied-exc",
         views.permission_denied_exc,
         name="permission_denied_exc",
     ),
+    path(
+        "csrf-hello-not-exempt",
+        views.csrf_hello_not_exempt,
+        name="csrf_hello_not_exempt",
+    ),
 ]
 
 

@@ -4,6 +4,8 @@
 from django.http import HttpResponse, HttpResponseServerError, HttpResponseNotFound
 from django.shortcuts import render
 from django.views.generic import ListView
+from django.views.decorators.csrf import csrf_exempt
+from django.utils.decorators import method_decorator
 
 try:
     from rest_framework.decorators import api_view
@@ -33,52 +35,88 @@ def rest_permission_denied_exc(request):
 import sentry_sdk
 
 
+@csrf_exempt
 def view_exc(request):
     1 / 0
 
 
+# This is a "class based view" as previously found in the sentry codebase. The
+# interesting property of this one is that csrf_exempt, as a class attribute,
+# is not in __dict__, so regular use of functools.wraps will not forward the
+# attribute.
+class SentryClassBasedView(object):
+    csrf_exempt = True
+
+    def __call__(self, request):
+        return HttpResponse("ok")
+
+
+class SentryClassBasedViewWithCsrf(object):
+    def __call__(self, request):
+        return HttpResponse("ok")
+
+
+@csrf_exempt
 def read_body_and_view_exc(request):
     request.read()
     1 / 0
 
 
+@csrf_exempt
 def message(request):
     sentry_sdk.capture_message("hi")
     return HttpResponse("ok")
 
 
+@csrf_exempt
 def mylogin(request):
     user = User.objects.create_user("john", "[email protected]", "johnpassword")
     user.backend = "django.contrib.auth.backends.ModelBackend"
     login(request, user)
     return HttpResponse("ok")
 
 
+@csrf_exempt
 def handler500(request):
     return HttpResponseServerError("Sentry error: %s" % sentry_sdk.last_event_id())
 
 
 class ClassBasedView(ListView):
     model = None
 
+    @method_decorator(csrf_exempt)
+    def dispatch(self, request, *args, **kwargs):
+        return super(ClassBasedView, self).dispatch(request, *args, **kwargs)
+
     def head(self, *args, **kwargs):
         sentry_sdk.capture_message("hi")
         return HttpResponse("")
 
+    def post(self, *args, **kwargs):
+        return HttpResponse("ok")
+
 
+@csrf_exempt
 def post_echo(request):
     sentry_sdk.capture_message("hi")
     return HttpResponse(request.body)
 
 
+@csrf_exempt
 def handler404(*args, **kwargs):
     sentry_sdk.capture_message("not found", level="error")
     return HttpResponseNotFound("404")
 
 
+@csrf_exempt
 def template_exc(request, *args, **kwargs):
     return render(request, "error.html")
 
 
+@csrf_exempt
 def permission_denied_exc(*args, **kwargs):
     raise PermissionDenied("bye")
+
+
+def csrf_hello_not_exempt(*args, **kwargs):
+    return HttpResponse("ok")
@@ -532,9 +532,11 @@ def test_middleware_spans(sentry_init, client, capture_events, render_span_tree)
 - op="http.server": description=null
   - op="django.middleware": description="django.contrib.sessions.middleware.SessionMiddleware.__call__"
     - op="django.middleware": description="django.contrib.auth.middleware.AuthenticationMiddleware.__call__"
-      - op="django.middleware": description="tests.integrations.django.myapp.settings.TestMiddleware.__call__"
-        - op="django.middleware": description="tests.integrations.django.myapp.settings.TestFunctionMiddleware.__call__"
-          - op="django.view": description="message"\
+      - op="django.middleware": description="django.middleware.csrf.CsrfViewMiddleware.__call__"
+        - op="django.middleware": description="tests.integrations.django.myapp.settings.TestMiddleware.__call__"
+          - op="django.middleware": description="tests.integrations.django.myapp.settings.TestFunctionMiddleware.__call__"
+            - op="django.middleware": description="django.middleware.csrf.CsrfViewMiddleware.process_view"
+            - op="django.view": description="message"\
 """
         )
 
@@ -546,8 +548,10 @@ def test_middleware_spans(sentry_init, client, capture_events, render_span_tree)
   - op="django.middleware": description="django.contrib.sessions.middleware.SessionMiddleware.process_request"
   - op="django.middleware": description="django.contrib.auth.middleware.AuthenticationMiddleware.process_request"
   - op="django.middleware": description="tests.integrations.django.myapp.settings.TestMiddleware.process_request"
+  - op="django.middleware": description="django.middleware.csrf.CsrfViewMiddleware.process_view"
   - op="django.view": description="message"
   - op="django.middleware": description="tests.integrations.django.myapp.settings.TestMiddleware.process_response"
+  - op="django.middleware": description="django.middleware.csrf.CsrfViewMiddleware.process_response"
   - op="django.middleware": description="django.contrib.sessions.middleware.SessionMiddleware.process_response"\
 """
         )
@@ -566,3 +570,30 @@ def test_middleware_spans_disabled(sentry_init, client, capture_events):
     assert message["message"] == "hi"
 
     assert not transaction["spans"]
+
+
+def test_csrf(sentry_init, client):
+    """
+    Assert that CSRF view decorator works even with the view wrapped in our own
+    callable.
+    """
+
+    sentry_init(integrations=[DjangoIntegration()])
+
+    content, status, _headers = client.post(reverse("csrf_hello_not_exempt"))
+    assert status.lower() == "403 forbidden"
+
+    content, status, _headers = client.post(reverse("sentryclass_csrf"))
+    assert status.lower() == "403 forbidden"
+
+    content, status, _headers = client.post(reverse("sentryclass"))
+    assert status.lower() == "200 ok"
+    assert b"".join(content) == b"ok"
+
+    content, status, _headers = client.post(reverse("classbased"))
+    assert status.lower() == "200 ok"
+    assert b"".join(content) == b"ok"
+
+    content, status, _headers = client.post(reverse("message"))
+    assert status.lower() == "200 ok"
+    assert b"".join(content) == b"ok"