Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flask set-cookie codemod #101

Merged
merged 5 commits into from
Oct 27, 2023
Merged

Flask set-cookie codemod #101

merged 5 commits into from
Oct 27, 2023

Conversation

clavedeluna
Copy link
Contributor

@clavedeluna clavedeluna commented Oct 26, 2023

Overview

New codemod to check if flask's set_cookie is called with the most secure params

Description

  • This codemod is merge after cursory review because it is possible to call set_cookie with default (seemingly unsafe) parameters but the safety is configured at the Flask app level configurations. However, whatever is passed to set_cookie takes precedence so calling it with unsafe params should be changed.
  • Checking flask cookie config settings will be a separate codemod.

@codecov
Copy link

codecov bot commented Oct 26, 2023

Codecov Report

Merging #101 (24e653b) into main (6ee8779) will increase coverage by 0.04%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #101      +/-   ##
==========================================
+ Coverage   95.68%   95.72%   +0.04%     
==========================================
  Files          61       62       +1     
  Lines        2504     2528      +24     
==========================================
+ Hits         2396     2420      +24     
  Misses        108      108              
Files Coverage Δ
src/core_codemods/__init__.py 100.00% <100.00%> (ø)
src/core_codemods/secure_flask_cookie.py 100.00% <100.00%> (ø)

),
(
"secure=True, httponly=True, samesite='Strict'",
"secure=True, httponly=True, samesite='Lax'",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could consider allowing users to pass samesite=Strict and not changing it to Lax

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think we should not modify samesite if it is already less permissive than our codemod.

@clavedeluna clavedeluna marked this pull request as ready for review October 26, 2023 11:20
Copy link
Contributor

@andrecsilva andrecsilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lacking tests with open(...) as a source, otherwise ok.

@clavedeluna
Copy link
Contributor Author

Lacking tests with open(...) as a source, otherwise ok.

Can you clarify with a code example?

@andrecsilva
Copy link
Contributor

Lacking tests with open(...) as a source, otherwise ok.

Can you clarify with a code example?

Your semgrep rule has 3 possibilities for source (flask.make_response(...), flask.Response(...) and open(...)). See:

            pattern-sources:
              - pattern-either:
                  - patterns:
                    - pattern: flask.make_response(...)
                    - pattern-inside: |
                        import flask
                        ...
                  - patterns:
                    - pattern: flask.Response(...)
                    - pattern-inside: |
                        import flask
                        ...
                  - pattern: open(...)

All the unit tests are parameterized with this:

each_func = pytest.mark.parametrize("func", ["make_response", "Response"])

Thus, no test covers an example like:

import flask
response = open(something)
var = "hello"
response.set_cookie("name", "value")

I'm not sure if this is actually valid code. Just following the semgrep rule.

@clavedeluna
Copy link
Contributor Author

Lacking tests with open(...) as a source, otherwise ok.

Can you clarify with a code example?

Your semgrep rule has 3 possibilities for source (flask.make_response(...), flask.Response(...) and open(...)). See:

            pattern-sources:
              - pattern-either:
                  - patterns:
                    - pattern: flask.make_response(...)
                    - pattern-inside: |
                        import flask
                        ...
                  - patterns:
                    - pattern: flask.Response(...)
                    - pattern-inside: |
                        import flask
                        ...
                  - pattern: open(...)

All the unit tests are parameterized with this:

each_func = pytest.mark.parametrize("func", ["make_response", "Response"])

Thus, no test covers an example like:

import flask
response = open(something)
var = "hello"
response.set_cookie("name", "value")

I'm not sure if this is actually valid code. Just following the semgrep rule.

OHHHH this is a total typo, from copy paste. open is not a valid source. I will remove it. Good catch!

Copy link
Member

@drdavella drdavella left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really nice to me overall, but I do think we should preserve samesite="Strict" if it's already there. We don't want to make the app less permissive, only moreso.

),
(
"secure=True, httponly=True, samesite='Strict'",
"secure=True, httponly=True, samesite='Lax'",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think we should not modify samesite if it is already less permissive than our codemod.

@clavedeluna clavedeluna merged commit b5039db into main Oct 27, 2023
11 checks passed
@clavedeluna clavedeluna deleted the flask-set-cookie branch October 27, 2023 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants