python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: pyramid-authtkt-cookie-httponly-unsafe-default
    patterns:
      - pattern: pyramid.authentication.$FUNC($...PARAMS)
      - metavariable-pattern:
          metavariable: $FUNC
          pattern-either:
            - pattern: AuthTktCookieHelper
            - pattern: AuthTktAuthenticationPolicy
      - pattern-not: pyramid.authentication.$FUNC(..., httponly=$HTTPONLY, ...)
      - pattern-not: pyramid.authentication.$FUNC(..., **$PARAMS, ...)
      - focus-metavariable: $...PARAMS
    fix: |
      $...PARAMS, httponly=True
    message: Found a Pyramid Authentication Ticket cookie without the httponly
      option correctly set. Pyramid cookies should be handled securely by
      setting httponly=True. If this parameter is not properly set, your cookies
      are not properly protected and are at risk of being stolen by an attacker.
    metadata:
      cwe:
        - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
      owasp:
        - A05:2021 - Security Misconfiguration
      category: security
      technology:
        - pyramid
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security
    languages:
      - python
    severity: WARNING

Examples

authtkt-cookie-httponly-unsafe-default.py

from pyramid.authentication import AuthTktCookieHelper, AuthTktAuthenticationPolicy


### True positives ###


def bad1():
    # ruleid: pyramid-authtkt-cookie-httponly-unsafe-default
    authtkt = AuthTktCookieHelper(secret="test")


def bad3():
    # ruleid: pyramid-authtkt-cookie-httponly-unsafe-default
    authtkt = AuthTktAuthenticationPolicy(secret="test")


### True negatives ###


def good1():
    # ok: pyramid-authtkt-cookie-httponly-unsafe-default
    authtkt = AuthTktCookieHelper(secret="test", httponly=True)


def good2(params):
    # ok: pyramid-authtkt-cookie-httponly-unsafe-default
    authtkt = AuthTktCookieHelper(**params)


def good3():
    # ok: pyramid-authtkt-cookie-httponly-unsafe-default
    authtkt = AuthTktAuthenticationPolicy(secret="test", httponly=True)


def good4(params):
    # ok: pyramid-authtkt-cookie-httponly-unsafe-default
    authtkt = AuthTktAuthenticationPolicy(**params)