session-fixation

Try in Playground
python-djangoSecurityError

0

django
CWE-384

Do not set the sessionid manually, especially based on user-input.

See

  • CWE-384

Ast Rule: function definition


session-fixation

How to write a rule
function visit(node, filename, code) {
  const useFrom = (packageName, element) => {
    return node.context.imports.filter(i => {
      return i.astType === "fromstatement" && i.elements.filter(e => e.name && e.name.value === element).length > 0;
    });
  };

  if (!useFrom("django.http", "HttpResponse")) {
    return;
  }

  var httpResponseValue = null;

  const checkFunctionContent = (element) => {
    if (element.astType === "sequence") {
      element.elements.forEach(e => {
        checkFunctionContent(e);
      });
    }


    // catch assigment of new HttpResponse (foo = HttpResponse())
    if (element.astType === "assignment") {
      if (element.right.astType === "functioncall") {
        if (element.right.functionName.value === "HttpResponse") {
          if (element.left.astType === "string") {
            if (element.left.value) {
              httpResponseValue = element.left.value;
            }
          }
        }
      }
    }

    // Catch anything like response["Set-Cookie"] = value
    if (element.astType === "assignment") {
      if (element.left && element.left.astType === "variableindex") {
        const vi = element.left;
        if (httpResponseValue && vi.variable &&
          vi.variable.value === httpResponseValue && vi.index && vi.index.value === '"Set-Cookie"') {
          const error = buildError(element.start.line, element.start.col,
            element.end.line, element.end.col,
            "do not set the sessionid manually", "CRITICAL", "SECURITY");

          addError(error);
        }

      }
    }

    // If we call set_cookie with "sessionid" directly, return an error
    if (element.astType === "functioncall" && element.functionName && element.functionName.value === "set_cookie") {
      if (element.moduleOrObject && httpResponseValue &&
        element.moduleOrObject.value === httpResponseValue) {

        const fc = element;
        if (fc.arguments && fc.arguments.values && fc.arguments.values.length == 2) {

          const firstArgument = fc.arguments.values[0].value;
          if (firstArgument.astType === "string" && firstArgument.value === '"sessionid"') {
            const error = buildError(element.start.line, element.start.col,
              element.end.line, element.end.col,
              "do not set the sessionid manually", "CRITICAL", "SECURITY");

            addError(error);
          }
        }
      }
    }

  };

  checkFunctionContent(node.content);

}

tainted-cookie2.py

Expected test result: has error

from django.http import HttpResponse

def index(request):
    value = request.GET.get("value")
    response = HttpResponse("")
    response["Set-Cookie"] = value
		response["Any-Other-Header"] = value
    return response

secure-cookie.py

Expected test result: no error

from django.http import HttpResponse

def index(request):
    value = request.GET.get("value")
    response = HttpResponse("")
    response["X-Data"] = value
    response.set_cookie("data", value)
    return response

tainted-cookie.py

Expected test result: has error

from django.http import HttpResponse

def index(request):
    value = request.GET.get("value")
    response = HttpResponse("")
    response.set_cookie("sessionid", value)
    return response
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.