python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.

Run Locally

Run in CI

Defintion

rules:
  - id: pyramid-authtkt-cookie-httponly-unsafe-value
    patterns:
      - pattern-either:
          - patterns:
              - pattern-not: pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)
              - pattern: pyramid.authentication.AuthTktCookieHelper(..., httponly=$HTTPONLY,
                  ...)
          - patterns:
              - pattern-not: pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)
              - pattern: pyramid.authentication.AuthTktAuthenticationPolicy(...,
                  httponly=$HTTPONLY, ...)
      - pattern: $HTTPONLY
      - metavariable-pattern:
          metavariable: $HTTPONLY
          pattern: |
            False
    fix: |
      True
    message: Found a Pyramid Authentication Ticket cookie without the httponly
      option correctly set. Pyramid cookies should be handled securely by
      setting httponly=True. If this parameter is not properly set, your cookies
      are not properly protected and are at risk of being stolen by an attacker.
    metadata:
      cwe:
        - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
      owasp:
        - A05:2021 - Security Misconfiguration
      category: security
      technology:
        - pyramid
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security
    languages:
      - python
    severity: WARNING

Examples

authtkt-cookie-httponly-unsafe-value.py

from pyramid.authentication import AuthTktCookieHelper, AuthTktAuthenticationPolicy


### True positives ###


def bad1():
    # ruleid: pyramid-authtkt-cookie-httponly-unsafe-value
    authtkt = AuthTktCookieHelper(secret="test", httponly=False)


def bad2():
    # ruleid: pyramid-authtkt-cookie-httponly-unsafe-value
    authtkt = AuthTktAuthenticationPolicy(secret="test", httponly=False)


### True negatives ###


def good1():
    # ok: pyramid-authtkt-cookie-httponly-unsafe-value
    authtkt = AuthTktCookieHelper(secret="test", httponly=True)


def good2(params):
    # ok: pyramid-authtkt-cookie-httponly-unsafe-value
    authtkt = AuthTktCookieHelper(**params)


def good3():
    # ok: pyramid-authtkt-cookie-httponly-unsafe-value
    authtkt = AuthTktAuthenticationPolicy(secret="test", httponly=True)


def good4(params):
    # ok: pyramid-authtkt-cookie-httponly-unsafe-value
    authtkt = AuthTktAuthenticationPolicy(**params)