safe-cookie

Try in Playground
python-flaskSecurityError

0

cookiessamesite
CWE-1275

Ensure that all parameters are correctly set to ensure the cookie is secure by checking the following attribute on the set_cookie function:

  • secure limits cookies to HTTPS traffic only.
  • httponly protects the contents of cookies from being read with JavaScript.
  • samesite restricts how cookies are sent with requests from external sites.

References

  • Security Considerations
  • CWE-1275: Sensitive Cookie with Improper SameSite Attribute

Ast Rule: function call


safe-cookie

How to write a rule
function visit(node, filename, code) {
  const checkArgument = (arguments, name, value, acceptableValues) => {
    const argumentsFilter = arguments.filter(a => a.name && a.name.value === name);

    if (argumentsFilter.length > 0) {
      const argument = argumentsFilter[0];
      if (argument.value && argument.value.astType === "string") {
        if (acceptableValues.includes(argument.value.value)) {
          return;
        }
        const error = buildError(argument.start.line, argument.start.col,
          argument.end.line, argument.end.col,
          `argument ${name} value is insecure`, "CRITICAL", "SECURITY");
        const edit = buildEditUpdate(argument.value.start.line, argument.value.start.col,
          argument.value.end.line, argument.value.end.col, value);
        const fix = buildFix(`change ${name} argument value with ${value}`, [edit]);
        addError(error.addFix(fix));
      }
    } else {
      const error = buildError(node.functionName.start.line, node.functionName.start.col,
        node.functionName.end.line, node.functionName.end.col,
        `argument ${name} not declared and leads to potential security issues`, "CRITICAL", "SECURITY");
      const edit = buildEditAdd(node.end.line, node.end.col - 1, arguments.length > 0 ? `, ${name}=${value}` : `${name}=${value}`);
      const fix = buildFix(`add ${name} argument`, [edit]);
      addError(error.addFix(fix));
    }
  }

  const useFlask = node.context.imports.filter(i => {
    const useFlaskAsImport = i.astType === "importstatement" && i.packages.filter(p => p.name && p.name.value === "flask").length > 0;
    const useFlaskAsFrom = i.astType === "fromstatement" && i.pkg.str === "flask";
    return useFlaskAsImport || useFlaskAsFrom;
  }).length > 0;
  if (!useFlask) {
    return;
  }
  console.log("plop");
  if (node.functionName && node.functionName.value && node.functionName.value === "set_cookie") {
    console.log("plop");
    if (!node.arguments || !node.arguments.values) {
      return;
    }
    checkArgument(node.arguments.values, "secure", "True", ["True"]);
    checkArgument(node.arguments.values, "httponly", "True", ["True"]);
    checkArgument(node.arguments.values, "samesite", "\"Lax\"", ["\"Lax\"", "'Lax'"]);
  }
}

set_cookie.py

Expected test result: no error

import flask

response.set_cookie('username', 'flask', secure=True, httponly=True, samesite='Lax')

no_secure.py

Expected test result: no error

import flask

response.set_cookie('username', 'flask', httponly=True, samesite='Lax')

invalid-value.py

Expected test result: no error

import flask

response.set_cookie('username', 'flask', secure=wewe, httponly=True, samesite='Lax')
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.