Skip to content

Python: Promote cookie injection query from experimental #16893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jul 29, 2024
Merged

Python: Promote cookie injection query from experimental #16893

merged 8 commits into from
Jul 29, 2024

Conversation

joefarebrother
Copy link
Contributor

Part of https://github.com/github/codeql-python-team/issues/792 promoting #6360;
Depends on #16696

Promotes the Cookie Injection query from experimental, finding instances of user input being used to set the name or value of a cookie.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 2, 2024
View reviewed changes
@joefarebrother joefarebrother force-pushed the python-cookie-injectio-promote branch from 0853bdb to 070d678 Compare July 16, 2024 15:50
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 16, 2024
edited
Loading

QHelp previews:

python/ql/src/Security/CWE-020/CookieInjection.qhelp

Construction of a cookie using user-supplied input.

Constructing cookies from user input can allow an attacker to control a user's cookie. This may lead to a session fixation attack. Additionally, client code may not expect a cookie to contain attacker-controlled data, and fail to sanitize it for common vulnerabilities such as Cross Site Scripting (XSS). An attacker manipulating the raw cookie header may additionally be able to set cookie attributes such as HttpOnly to insecure values.

Recommendation

Do not use raw user input to construct cookies.

Example

In the following cases, a cookie is constructed for a Flask response using user input. The first uses set_cookie, and the second sets a cookie's raw value through the set-cookie header.

from flask import request, make_response


@app.route("/1")
def set_cookie():
    resp = make_response()
    resp.set_cookie(request.args["name"], # BAD: User input is used to set the cookie's name and value
                    value=request.args["name"])
    return resp


@app.route("/2")
def set_cookie_header():
    resp = make_response()
    resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['name']};" # BAD: User input is used to set the raw cookie header.
    return resp

References

@joefarebrother joefarebrother changed the title [Draft] Python: Promote cookie injection query from experimental Python: Promote cookie injection query from experimental Jul 19, 2024
@joefarebrother joefarebrother marked this pull request as ready for review July 19, 2024 08:24
@joefarebrother joefarebrother requested a review from a team as a code owner July 19, 2024 08:24
yoff
yoff reviewed Jul 24, 2024
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the query is now in the standard format, and the help file is also improved. I suspect we also benefit from more cookie write models.

Two questions:

  • Is python/ql/src/experimental/semmle/python/security/injection/CookieInjection.qll still around? Could it be deleted as part of this?
  • You have simplified the alert to not mention specific flags. Is that to align with other languages or what is the rationale?

@yoff
Copy link
Contributor

yoff commented Jul 24, 2024

  • You have simplified the alert to not mention specific flags. Is that to align with other languages or what is the rationale?

Ah, I guess this has been split out into another query?

yoff
yoff approved these changes Jul 29, 2024
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@joefarebrother joefarebrother merged commit 58689c9 into github:main Jul 29, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yoff yoff yoff approved these changes

Assignees
No one assigned
Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joefarebrother @yoff