python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default
semgrep
Author
unknown
Download Count*
License
Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.
Run Locally
Run in CI
Defintion
rules:
- id: pyramid-set-cookie-httponly-unsafe-default
patterns:
- pattern-either:
- pattern-inside: |
@pyramid.view.view_config(...)
def $VIEW($REQUEST):
...
$RESPONSE = $REQUEST.response
...
- pattern-inside: |
def $VIEW(...):
...
$RESPONSE = pyramid.httpexceptions.HTTPFound(...)
...
- pattern-not: $RESPONSE.set_cookie(..., httponly=$HTTPONLY, ...)
- pattern-not: $RESPONSE.set_cookie(..., **$PARAMS)
- pattern: $RESPONSE.set_cookie(...)
fix-regex:
regex: (.*)\)
replacement: \1, httponly=True)
message: Found a Pyramid cookie using an unsafe default for the httponly option.
Pyramid cookies should be handled securely by setting httponly=True in
response.set_cookie(...). If this parameter is not properly set, your
cookies are not properly protected and are at risk of being stolen by an
attacker.
metadata:
cwe:
- "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
owasp:
- A05:2021 - Security Misconfiguration
category: security
technology:
- pyramid
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cookie Security
languages:
- python
severity: WARNING
Examples
set-cookie-httponly-unsafe-default.py
from pyramid import httpexceptions as exc
from pyramid.view import view_config
### True positives ###
@view_config(route_name='my_view')
def my_bad_view1(request):
response = request.response
# ruleid: pyramid-set-cookie-httponly-unsafe-default
response.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE', secure=True)
return {'foo': 'bar'}
@view_config(route_name='my_view')
def my_bad_view2(request):
resp = exc.HTTPFound(location=request.referer or request.application_url)
# ruleid: pyramid-set-cookie-httponly-unsafe-default
resp.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
secure=True)
return resp
### True negatives ###
@view_config(route_name='my_view')
def my_good_view1(request):
response = request.response
# ok: pyramid-set-cookie-httponly-unsafe-default
response.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
secure=True, httponly=True)
return {'foo': 'bar'}
@view_config(route_name='my_view')
def my_good_view2(request):
resp = exc.HTTPFound(location=request.referer or request.application_url)
# ok: pyramid-set-cookie-httponly-unsafe-default
resp.set_cookie('MY_COOKIE', secure=True,
httponly=True, value='MY_COOKIE_VALUE')
return resp
@view_config(route_name='my_view')
def my_good_view3(request):
resp = exc.HTTPFound(location=request.referer or request.application_url)
# ok: pyramid-set-cookie-httponly-unsafe-default
resp.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
**global_cookie_flags)
return resp
Short Link: https://sg.run/P19v