Skip to content

Commit

Permalink
allow for strict samesite
Browse files Browse the repository at this point in the history
  • Loading branch information
clavedeluna committed Oct 27, 2023
1 parent e39e87a commit 24e653b
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 8 deletions.
2 changes: 1 addition & 1 deletion src/core_codemods/docs/pixee_python_secure-flask-cookie.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
This codemod sets the most secure parameters when Flask applications call `set_cookie` on a response object. Without these parameters, your Flask
application cookies may be vulnerable to being intercepted and used against your system.
application cookies may be vulnerable to being intercepted and used to gain access to sensitive data.

The changes from this codemod look like this:

Expand Down
31 changes: 25 additions & 6 deletions src/core_codemods/secure_flask_cookie.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
from libcst import matchers
from codemodder.codemods.base_codemod import ReviewGuidance
from codemodder.codemods.api import SemgrepCodemod
from codemodder.codemods.api.helpers import NewArg
Expand Down Expand Up @@ -41,15 +42,33 @@ def rule(cls):
- patterns:
- pattern: $SINK.set_cookie(...)
- pattern-not: $SINK.set_cookie(..., secure=True, ..., httponly=True, ..., samesite="Lax", ...)
- pattern-not: $SINK.set_cookie(..., secure=True, ..., httponly=True, ..., samesite="Strict", ...)
"""

def _choose_new_args(self, original_node):
new_args = [
NewArg(name="secure", value="True", add_if_missing=True),
NewArg(name="httponly", value="True", add_if_missing=True),
]

samesite = matchers.Arg(
keyword=matchers.Name(value="samesite"),
value=matchers.SimpleString(value="'Strict'"),
)

# samesite=Strict is OK because it's more restrictive than Lax.
strict_samesite_defined = any(
matchers.matches(arg, samesite) for arg in original_node.args
)
if not strict_samesite_defined:
new_args.append(
NewArg(name="samesite", value="'Lax'", add_if_missing=True),
)

return new_args

def on_result_found(self, original_node, updated_node):
new_args = self.replace_args(
original_node,
[
NewArg(name="secure", value="True", add_if_missing=True),
NewArg(name="httponly", value="True", add_if_missing=True),
NewArg(name="samesite", value="'Lax'", add_if_missing=True),
],
original_node, self._choose_new_args(original_node)
)
return self.update_arg_target(updated_node, new_args)
6 changes: 5 additions & 1 deletion tests/codemods/test_secure_flask_cookie.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,11 @@ def test_import_alias(self, tmpdir, func):
),
(
"secure=True, httponly=True, samesite='Strict'",
"secure=True, httponly=True, samesite='Lax'",
"secure=True, httponly=True, samesite='Strict'",
),
(
"secure=False, httponly=True, samesite='Strict'",
"secure=True, httponly=True, samesite='Strict'",
),
(
"httponly=True, samesite='Lax', secure=True",
Expand Down

0 comments on commit 24e653b

Please sign in to comment.