python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: pyramid-authtkt-cookie-samesite
    patterns:
      - pattern-either:
          - pattern: pyramid.authentication.AuthTktCookieHelper(..., samesite=$SAMESITE,
              ...)
          - pattern: pyramid.authentication.AuthTktAuthenticationPolicy(...,
              samesite=$SAMESITE, ...)
      - pattern: $SAMESITE
      - metavariable-regex:
          metavariable: $SAMESITE
          regex: (?!'Lax')
    fix: |
      'Lax'
    message: Found a Pyramid Authentication Ticket without the samesite option
      correctly set. Pyramid cookies should be handled securely by setting
      samesite='Lax'. If this parameter is not properly set, your cookies are
      not properly protected and are at risk of being stolen by an attacker.
    metadata:
      cwe:
        - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute"
      owasp:
        - A01:2021 - Broken Access Control
      category: security
      technology:
        - pyramid
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security
    languages:
      - python
    severity: WARNING

Examples

authtkt-cookie-samesite.py

from pyramid.authentication import AuthTktCookieHelper, AuthTktAuthenticationPolicy


### True positives ###


def bad1():
    # ruleid: pyramid-authtkt-cookie-samesite
    authtkt = AuthTktCookieHelper(secret="test", samesite=None)


def bad2():
    # ruleid: pyramid-authtkt-cookie-samesite
    authtkt = AuthTktAuthenticationPolicy(secret="test", samesite=None)


### True negatives ###


def good1():
    # ok: pyramid-authtkt-cookie-samesite
    authtkt = AuthTktCookieHelper(secret="test")


def good2():
    # ok: pyramid-authtkt-cookie-samesite
    authtkt = AuthTktCookieHelper(secret="test", samesite='Lax')


def good3():
    # ok: pyramid-authtkt-cookie-samesite
    authtkt = AuthTktAuthenticationPolicy(secret="test")


def good4():
    # ok: pyramid-authtkt-cookie-samesite
    authtkt = AuthTktAuthenticationPolicy(secret="test", samesite='Lax')