python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: pyramid-set-cookie-secure-unsafe-default
    patterns:
      - pattern-either:
          - pattern-inside: |
              @pyramid.view.view_config(...)
              def $VIEW($REQUEST):
                  ...
                  $RESPONSE = $REQUEST.response
                  ...
          - pattern-inside: |
              def $VIEW(...):
                  ...
                  $RESPONSE = pyramid.httpexceptions.HTTPFound(...)
                  ...
      - pattern-not: $RESPONSE.set_cookie(..., secure=$SECURE, ...)
      - pattern-not: $RESPONSE.set_cookie(..., **$PARAMS)
      - pattern: $RESPONSE.set_cookie(...)
    fix-regex:
      regex: (.*)\)
      replacement: \1, secure=True)
    message: Found a Pyramid cookie using an unsafe default for the secure option.
      Pyramid cookies should be handled securely by setting secure=True in
      response.set_cookie(...). If this parameter is not properly set, your
      cookies are not properly protected and are at risk of being stolen by an
      attacker.
    metadata:
      cwe:
        - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
      owasp:
        - A05:2021 - Security Misconfiguration
      category: security
      technology:
        - pyramid
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security
    languages:
      - python
    severity: WARNING

Examples

set-cookie-secure-unsafe-default.py

from pyramid import httpexceptions as exc
from pyramid.view import view_config

### True positives ###


@view_config(route_name='my_view')
def my_bad_view1(request):
    response = request.response
    # ruleid: pyramid-set-cookie-secure-unsafe-default
    response.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
                        httponly=True)
    return {'foo': 'bar'}


@view_config(route_name='my_view')
def my_bad_view2(request):
    resp = exc.HTTPFound(location=request.referer or request.application_url)
    # ruleid: pyramid-set-cookie-secure-unsafe-default
    resp.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
                    httponly=True)
    return resp


### True negatives ###

@view_config(route_name='my_view')
def my_good_view1(request):
    response = request.response
    # ok:  pyramid-set-cookie-secure-unsafe-default
    response.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
                        secure=True, httponly=True)
    return {'foo': 'bar'}


@view_config(route_name='my_view')
def my_good_view2(request):
    resp = exc.HTTPFound(location=request.referer or request.application_url)
    # ok:  pyramid-set-cookie-secure-unsafe-default
    resp.set_cookie('MY_COOKIE', secure=True, httponly=True,
                    value='MY_COOKIE_VALUE')
    return resp


@view_config(route_name='my_view')
def my_good_view3(request):
    resp = exc.HTTPFound(location=request.referer or request.application_url)
    # ok:  pyramid-set-cookie-secure-unsafe-default
    resp.set_cookie('MY_COOKIE', value='MY_COOKIE_VALUE',
                    **global_cookie_flags)
    return resp