python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: pyramid-authtkt-cookie-secure-unsafe-value
    patterns:
      - pattern-either:
          - patterns:
              - pattern-not: pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)
              - pattern: pyramid.authentication.AuthTktCookieHelper(..., secure=$SECURE, ...)
          - patterns:
              - pattern-not: pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)
              - pattern: pyramid.authentication.AuthTktAuthenticationPolicy(..., secure=$SECURE,
                  ...)
      - pattern: $SECURE
      - metavariable-pattern:
          metavariable: $SECURE
          pattern: |
            False
    fix: |
      True
    message: Found a Pyramid Authentication Ticket cookie without the secure option
      correctly set. Pyramid cookies should be handled securely by setting
      secure=True. If this parameter is not properly set, your cookies are not
      properly protected and are at risk of being stolen by an attacker.
    metadata:
      cwe:
        - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
      owasp:
        - A05:2021 - Security Misconfiguration
      category: security
      technology:
        - pyramid
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security
    languages:
      - python
    severity: WARNING

Examples

authtkt-cookie-secure-unsafe-value.py

from pyramid.authentication import AuthTktCookieHelper, AuthTktAuthenticationPolicy


### True positives ###


def bad1():
    # ruleid: pyramid-authtkt-cookie-secure-unsafe-value
    authtkt = AuthTktCookieHelper(secret="test", secure=False)


def bad2():
    # ruleid: pyramid-authtkt-cookie-secure-unsafe-value
    authtkt = AuthTktAuthenticationPolicy(secret="test", secure=False)


### True negatives ###


def good1():
    # ok: pyramid-authtkt-cookie-secure-unsafe-value
    authtkt = AuthTktCookieHelper(secret="test", secure=True)


def good2(params):
    # ok: pyramid-authtkt-cookie-secure-unsafe-value
    authtkt = AuthTktCookieHelper(**params)


def good3():
    # ok: pyramid-authtkt-cookie-secure-unsafe-value
    authtkt = AuthTktAuthenticationPolicy(secret="test", secure=True)


def good4(params):
    # ok: pyramid-authtkt-cookie-secure-unsafe-value
    authtkt = AuthTktAuthenticationPolicy(**params)