andrewmusselman opened a new issue, #792:
URL: https://github.com/apache/tooling-trusted-releases/issues/792
**ASVS:** 3.5.1 · **CWE:** CWE-352 · **File:** `atr/models/schema.py`
### Description
The `Form` base class defines the CSRF token field as optional:
```python
class Form(pydantic.BaseModel):
csrf_token: str | None = None # Optional
```
While the global CSRF middleware validates tokens regardless of the model
definition, making the field optional weakens the validation contract and could
mask issues if the middleware is ever bypassed or misconfigured.
### Recommended fix
```python
class Form(pydantic.BaseModel):
csrf_token: str # Required
```
Test whether `csrf: str` works
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
