python.pyramid.audit.set-cookie-httponly-unsafe-value.pyramid-set-cookie-httponly-unsafe-value

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Found a Pyramid cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.

Run Locally

Run in CI

Defintion

rules:
  - id: pyramid-set-cookie-httponly-unsafe-value
    patterns:
      - pattern-either:
          - pattern-inside: |
              @pyramid.view.view_config(...)
              def $VIEW($REQUEST):
                  ...
                  $RESPONSE = $REQUEST.response
                  ...
          - pattern-inside: |
              def $VIEW(...):
                  ...
                  $RESPONSE = pyramid.httpexceptions.HTTPFound(...)
                  ...
      - pattern-not: $RESPONSE.set_cookie(..., **$PARAMS)
      - pattern: $RESPONSE.set_cookie(..., httponly=$HTTPONLY, ...)
      - pattern: $HTTPONLY
      - metavariable-pattern:
          metavariable: $HTTPONLY
          pattern: |
            False
    fix: |
      True
    message: Found a Pyramid cookie without the httponly option correctly set.
      Pyramid cookies should be handled securely by setting httponly=True in
      response.set_cookie(...). If this parameter is not properly set, your
      cookies are not properly protected and are at risk of being stolen by an
      attacker.
    metadata:
      cwe:
        - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
      owasp:
        - A05:2021 - Security Misconfiguration
      references:
        - https://owasp.org/www-community/controls/SecureCookieAttribute
        - https://owasp.org/www-community/HttpOnly
        - https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#httponly-attribute
      category: security
      technology:
        - pyramid
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security
    languages:
      - python
    severity: WARNING

Examples

set-cookie-httponly-unsafe-value.py

from pyramid import httpexceptions as exc
from pyramid.view import view_config

### True positives ###


@view_config(route_name='my_view')
def my_bad_view1(request):
    response = request.response
    response.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
                        # ruleid: pyramid-set-cookie-httponly-unsafe-value
                        httponly=False, secure=True)
    return {'foo': 'bar'}


@view_config(route_name='my_view')
def my_bad_view3(request):
    resp = exc.HTTPFound(location=request.referer or request.application_url)
    resp.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
                    # ruleid: pyramid-set-cookie-httponly-unsafe-value
                    secure=True, httponly=False)
    return resp


### True negatives ###

@view_config(route_name='my_view')
def my_good_view1(request):
    response = request.response
    # ok: pyramid-set-cookie-httponly-unsafe-value
    response.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
                        secure=True, httponly=True)
    return {'foo': 'bar'}


@view_config(route_name='my_view')
def my_good_view2(request):
    resp = exc.HTTPFound(location=request.referer or request.application_url)
    # ok: pyramid-set-cookie-httponly-unsafe-value
    resp.set_cookie('MY_COOKIE', secure=True,
                    httponly=True, value='MY_COOKIE_VALUE')
    return resp


@view_config(route_name='my_view')
def my_good_view3(request):
    resp = exc.HTTPFound(location=request.referer or request.application_url)
    # ok: pyramid-set-cookie-httponly-unsafe-value
    resp.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
                    **global_cookie_flags)
    return resp