ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes
semgrepAuthor
unknown
Download Count*
License
Found a Rails cookie_store session configuration setting the $KEY attribute to false. If using a cookie-based session store, the HttpOnly and Secure flags should be set.
Run Locally
Run in CI
Defintion
rules:
- id: check-cookie-store-session-security-attributes
patterns:
- pattern-either:
- patterns:
- pattern: |
:$KEY => false
- pattern-inside: |
ActionController::Base.session = {...}
- pattern: >
$MODULE::Application.config.session_store :cookie_store, ...,
:$KEY => false, ...
- pattern: >
$CLASS.application.config.session_store :cookie_store, ..., $KEY:
false, ...
- metavariable-regex:
metavariable: $KEY
regex: ^(session_)?(http_?only|secure)$
message: Found a Rails `cookie_store` session configuration setting the `$KEY`
attribute to `false`. If using a cookie-based session store, the HttpOnly
and Secure flags should be set.
languages:
- ruby
severity: WARNING
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb
category: security
cwe:
- "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
owasp:
- A05:2021 - Security Misconfiguration
technology:
- ruby
- rails
references:
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cookie Security
Examples
check-cookie-store-session-security-attributes.rb
#rails2
ActionController::Base.session = {
:key => '_rails2_session',
:secret => 'secret!',
# ruleid: check-cookie-store-session-security-attributes
:session_http_only => false
}
#rails3
# ruleid: check-cookie-store-session-security-attributes
Rails3::Application.config.session_store :cookie_store, :key => '_rails3_session', :httponly => false, :secure => false
#rails3
# ruleid: check-cookie-store-session-security-attributes
Rails3::Application.config.session_store :cookie_store, :key => '_rails3_session', :secure => false
#rails3
# ruleid: check-cookie-store-session-security-attributes
Rails3::Application.config.session_store :cookie_store, :httponly => false, :key => '_rails3_session'
#rails3
# ruleid: check-cookie-store-session-security-attributes
Rails.application.config.session_store :cookie_store, key: '_rails3_session', httponly: false, domain: :all
# ruleid: check-cookie-store-session-security-attributes
Rails.application.config.session_store :cookie_store, httponly: false
# ok: check-cookie-store-session-security-attributes
Rails.application.config.session_store :cookie_store, some_harmless_key: false
# ruleid: check-cookie-store-session-security-attributes
MyRailsApp::Application.config.session_store :cookie_store, httponly: false
# ruleid: check-cookie-store-session-security-attributes
MyRailsApp.application.config.session_store :cookie_store, httponly: false
Short Link: https://sg.run/WDYA