python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value
semgrep
Author
unknown
Download Count*
License
Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.
Run Locally
Run in CI
Defintion
rules:
- id: pyramid-authtkt-cookie-secure-unsafe-value
patterns:
- pattern-either:
- patterns:
- pattern-not: pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)
- pattern: pyramid.authentication.AuthTktCookieHelper(..., secure=$SECURE, ...)
- patterns:
- pattern-not: pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)
- pattern: pyramid.authentication.AuthTktAuthenticationPolicy(..., secure=$SECURE,
...)
- pattern: $SECURE
- metavariable-pattern:
metavariable: $SECURE
pattern: |
False
fix: |
True
message: Found a Pyramid Authentication Ticket cookie without the secure option
correctly set. Pyramid cookies should be handled securely by setting
secure=True. If this parameter is not properly set, your cookies are not
properly protected and are at risk of being stolen by an attacker.
metadata:
cwe:
- "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
owasp:
- A05:2021 - Security Misconfiguration
category: security
technology:
- pyramid
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cookie Security
languages:
- python
severity: WARNING
Examples
authtkt-cookie-secure-unsafe-value.py
from pyramid.authentication import AuthTktCookieHelper, AuthTktAuthenticationPolicy
### True positives ###
def bad1():
# ruleid: pyramid-authtkt-cookie-secure-unsafe-value
authtkt = AuthTktCookieHelper(secret="test", secure=False)
def bad2():
# ruleid: pyramid-authtkt-cookie-secure-unsafe-value
authtkt = AuthTktAuthenticationPolicy(secret="test", secure=False)
### True negatives ###
def good1():
# ok: pyramid-authtkt-cookie-secure-unsafe-value
authtkt = AuthTktCookieHelper(secret="test", secure=True)
def good2(params):
# ok: pyramid-authtkt-cookie-secure-unsafe-value
authtkt = AuthTktCookieHelper(**params)
def good3():
# ok: pyramid-authtkt-cookie-secure-unsafe-value
authtkt = AuthTktAuthenticationPolicy(secret="test", secure=True)
def good4(params):
# ok: pyramid-authtkt-cookie-secure-unsafe-value
authtkt = AuthTktAuthenticationPolicy(**params)
Short Link: https://sg.run/gjp5