python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default
semgrep
Author
unknown
Download Count*
License
Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.
Run Locally
Run in CI
Defintion
rules:
- id: pyramid-authtkt-cookie-httponly-unsafe-default
patterns:
- pattern: pyramid.authentication.$FUNC($...PARAMS)
- metavariable-pattern:
metavariable: $FUNC
pattern-either:
- pattern: AuthTktCookieHelper
- pattern: AuthTktAuthenticationPolicy
- pattern-not: pyramid.authentication.$FUNC(..., httponly=$HTTPONLY, ...)
- pattern-not: pyramid.authentication.$FUNC(..., **$PARAMS, ...)
- focus-metavariable: $...PARAMS
fix: |
$...PARAMS, httponly=True
message: Found a Pyramid Authentication Ticket cookie without the httponly
option correctly set. Pyramid cookies should be handled securely by
setting httponly=True. If this parameter is not properly set, your cookies
are not properly protected and are at risk of being stolen by an attacker.
metadata:
cwe:
- "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
owasp:
- A05:2021 - Security Misconfiguration
category: security
technology:
- pyramid
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cookie Security
languages:
- python
severity: WARNING
Examples
authtkt-cookie-httponly-unsafe-default.py
from pyramid.authentication import AuthTktCookieHelper, AuthTktAuthenticationPolicy
### True positives ###
def bad1():
# ruleid: pyramid-authtkt-cookie-httponly-unsafe-default
authtkt = AuthTktCookieHelper(secret="test")
def bad3():
# ruleid: pyramid-authtkt-cookie-httponly-unsafe-default
authtkt = AuthTktAuthenticationPolicy(secret="test")
### True negatives ###
def good1():
# ok: pyramid-authtkt-cookie-httponly-unsafe-default
authtkt = AuthTktCookieHelper(secret="test", httponly=True)
def good2(params):
# ok: pyramid-authtkt-cookie-httponly-unsafe-default
authtkt = AuthTktCookieHelper(**params)
def good3():
# ok: pyramid-authtkt-cookie-httponly-unsafe-default
authtkt = AuthTktAuthenticationPolicy(secret="test", httponly=True)
def good4(params):
# ok: pyramid-authtkt-cookie-httponly-unsafe-default
authtkt = AuthTktAuthenticationPolicy(**params)
Short Link: https://sg.run/EprB