-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flask set-cookie codemod #101
Conversation
Codecov Report
@@ Coverage Diff @@
## main #101 +/- ##
==========================================
+ Coverage 95.68% 95.72% +0.04%
==========================================
Files 61 62 +1
Lines 2504 2528 +24
==========================================
+ Hits 2396 2420 +24
Misses 108 108
|
), | ||
( | ||
"secure=True, httponly=True, samesite='Strict'", | ||
"secure=True, httponly=True, samesite='Lax'", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could consider allowing users to pass samesite=Strict and not changing it to Lax
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I think we should not modify samesite
if it is already less permissive than our codemod.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lacking tests with open(...)
as a source, otherwise ok.
Can you clarify with a code example? |
Your semgrep rule has 3 possibilities for source (
All the unit tests are parameterized with this: each_func = pytest.mark.parametrize("func", ["make_response", "Response"]) Thus, no test covers an example like: import flask
response = open(something)
var = "hello"
response.set_cookie("name", "value") I'm not sure if this is actually valid code. Just following the semgrep rule. |
OHHHH this is a total typo, from copy paste. open is not a valid source. I will remove it. Good catch! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really nice to me overall, but I do think we should preserve samesite="Strict"
if it's already there. We don't want to make the app less permissive, only moreso.
), | ||
( | ||
"secure=True, httponly=True, samesite='Strict'", | ||
"secure=True, httponly=True, samesite='Lax'", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I think we should not modify samesite
if it is already less permissive than our codemod.
8f1f885
to
7f15e7d
Compare
7f15e7d
to
24e653b
Compare
Overview
New codemod to check if flask's
set_cookie
is called with the most secure paramsDescription
set_cookie
with default (seemingly unsafe) parameters but the safety is configured at the Flask app level configurations. However, whatever is passed toset_cookie
takes precedence so calling it with unsafe params should be changed.