diff --git a/rules/python/lang/cookies.yml b/rules/python/lang/cookies.yml new file mode 100644 index 000000000..10fce934c --- /dev/null +++ b/rules/python/lang/cookies.yml @@ -0,0 +1,45 @@ +imports: + - python_shared_lang_datatype +patterns: + - pattern: $[$<_>] = $ + filters: + - variable: COOKIE_INIT + detection: python_lang_cookies_init + scope: cursor + - variable: DATA_TYPE + detection: python_shared_lang_datatype + scope: result +auxiliary: + - id: python_lang_cookies_init + patterns: + - pattern: $() + filters: + - variable: COOKIE + regex: \A(http\.)?(cookies\.)?(Simple|Base)Cookie\z +languages: + - python +severity: high +metadata: + description: Leakage of sensitive data in cookie + remediation_message: |- + ## Description + + Storing sensitive data in cookies can lead to a data breach. This vulnerability occurs when sensitive information is stored in browser cookies, putting it at risk of unauthorized access. + + ## Remediations + + - **Do not** store sensitive data in unencrypted cookies. This practice can expose sensitive information to potential security threats. + ```python + HttpResponse.set_cookie("user", "john@doe.com", ...) # unsafe + ``` + - **Do** use encrypted cookies to protect sensitive data stored in cookies. + ```python + HttpResponse.set_signed_cookie("user", "john@doe.com", ...) + ``` + + ## References + + cwe_id: + - 315 + id: python_lang_cookies + documentation_url: https://docs.bearer.com/reference/rules/python_lang_cookies diff --git a/tests/python/lang/cookies/test.js b/tests/python/lang/cookies/test.js new file mode 100644 index 000000000..b33a7ba2b --- /dev/null +++ b/tests/python/lang/cookies/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("cookies", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/lang/cookies/testdata/main.py b/tests/python/lang/cookies/testdata/main.py new file mode 100644 index 000000000..4ac9a4040 --- /dev/null +++ b/tests/python/lang/cookies/testdata/main.py @@ -0,0 +1,16 @@ +from http import cookies + +def bad(user): + myCookie = cookies.SimpleCookie() + # bearer:expected python_lang_cookies + myCookie["user"] = user.email + +def bad2(customer): + myBasicCookie = http.cookies.BaseCookie() + # bearer:expected python_lang_cookies + myBasicCookie["logged customer"] = customer.email + +def ok(user): + safeCookie = cookies.SimpleCookie() + safeCookie["user"] = "current" +