python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite
semgrep
Author
unknown
Download Count*
License
Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.
Run Locally
Run in CI
Defintion
rules:
- id: pyramid-authtkt-cookie-samesite
patterns:
- pattern-either:
- pattern: pyramid.authentication.AuthTktCookieHelper(..., samesite=$SAMESITE,
...)
- pattern: pyramid.authentication.AuthTktAuthenticationPolicy(...,
samesite=$SAMESITE, ...)
- pattern: $SAMESITE
- metavariable-regex:
metavariable: $SAMESITE
regex: (?!'Lax')
fix: |
'Lax'
message: Found a Pyramid Authentication Ticket without the samesite option
correctly set. Pyramid cookies should be handled securely by setting
samesite='Lax'. If this parameter is not properly set, your cookies are
not properly protected and are at risk of being stolen by an attacker.
metadata:
cwe:
- "CWE-1275: Sensitive Cookie with Improper SameSite Attribute"
owasp:
- A01:2021 - Broken Access Control
category: security
technology:
- pyramid
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cookie Security
languages:
- python
severity: WARNING
Examples
authtkt-cookie-samesite.py
from pyramid.authentication import AuthTktCookieHelper, AuthTktAuthenticationPolicy
### True positives ###
def bad1():
# ruleid: pyramid-authtkt-cookie-samesite
authtkt = AuthTktCookieHelper(secret="test", samesite=None)
def bad2():
# ruleid: pyramid-authtkt-cookie-samesite
authtkt = AuthTktAuthenticationPolicy(secret="test", samesite=None)
### True negatives ###
def good1():
# ok: pyramid-authtkt-cookie-samesite
authtkt = AuthTktCookieHelper(secret="test")
def good2():
# ok: pyramid-authtkt-cookie-samesite
authtkt = AuthTktCookieHelper(secret="test", samesite='Lax')
def good3():
# ok: pyramid-authtkt-cookie-samesite
authtkt = AuthTktAuthenticationPolicy(secret="test")
def good4():
# ok: pyramid-authtkt-cookie-samesite
authtkt = AuthTktAuthenticationPolicy(secret="test", samesite='Lax')
Short Link: https://sg.run/LYrY