python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value
semgrep
Author
unknown
Download Count*
License
Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.
Run Locally
Run in CI
Defintion
rules:
- id: pyramid-authtkt-cookie-httponly-unsafe-value
patterns:
- pattern-either:
- patterns:
- pattern-not: pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)
- pattern: pyramid.authentication.AuthTktCookieHelper(..., httponly=$HTTPONLY,
...)
- patterns:
- pattern-not: pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)
- pattern: pyramid.authentication.AuthTktAuthenticationPolicy(...,
httponly=$HTTPONLY, ...)
- pattern: $HTTPONLY
- metavariable-pattern:
metavariable: $HTTPONLY
pattern: |
False
fix: |
True
message: Found a Pyramid Authentication Ticket cookie without the httponly
option correctly set. Pyramid cookies should be handled securely by
setting httponly=True. If this parameter is not properly set, your cookies
are not properly protected and are at risk of being stolen by an attacker.
metadata:
cwe:
- "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
owasp:
- A05:2021 - Security Misconfiguration
category: security
technology:
- pyramid
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cookie Security
languages:
- python
severity: WARNING
Examples
authtkt-cookie-httponly-unsafe-value.py
from pyramid.authentication import AuthTktCookieHelper, AuthTktAuthenticationPolicy
### True positives ###
def bad1():
# ruleid: pyramid-authtkt-cookie-httponly-unsafe-value
authtkt = AuthTktCookieHelper(secret="test", httponly=False)
def bad2():
# ruleid: pyramid-authtkt-cookie-httponly-unsafe-value
authtkt = AuthTktAuthenticationPolicy(secret="test", httponly=False)
### True negatives ###
def good1():
# ok: pyramid-authtkt-cookie-httponly-unsafe-value
authtkt = AuthTktCookieHelper(secret="test", httponly=True)
def good2(params):
# ok: pyramid-authtkt-cookie-httponly-unsafe-value
authtkt = AuthTktCookieHelper(**params)
def good3():
# ok: pyramid-authtkt-cookie-httponly-unsafe-value
authtkt = AuthTktAuthenticationPolicy(secret="test", httponly=True)
def good4(params):
# ok: pyramid-authtkt-cookie-httponly-unsafe-value
authtkt = AuthTktAuthenticationPolicy(**params)
Short Link: https://sg.run/7DgQ