fix: use instance case

Bearer · May 16, 2024 · b542f41 · b542f41
1 parent 915da37
commit b542f41
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/rules/python/django/insecure_cookie.yml b/rules/python/django/insecure_cookie.yml
@@ -1,11 +1,12 @@
 imports:
   - python_shared_django_http_response
+  - python_shared_lang_instance
 patterns:
   - pattern: |
       $<RESPONSE>.set_cookie($<...>secure=$<FALSE>$<...>)
     filters:
       - variable: RESPONSE
-        detection: python_shared_django_http_response
+        detection: python_django_insecure_cookie_http_response_instance
         scope: cursor
       - variable: "FALSE"
         detection: python_django_insecure_cookie_false
@@ -14,6 +15,17 @@ auxiliary:
   - id: python_django_insecure_cookie_false
     patterns:
       - "False"
+  - id: python_django_insecure_cookie_http_response_instance
+    patterns:
+      - pattern: $<HTTP_RESPONSE>
+        filters:
+          - variable: HTTP_RESPONSE
+            detection: python_shared_lang_instance
+            scope: cursor_strict
+            filters:
+              - variable: CLASS
+                detection: python_shared_django_http_response
+                scope: cursor
 languages:
   - python
 severity: medium

diff --git a/tests/python/django/insecure_cookie/testdata/main.py b/tests/python/django/insecure_cookie/testdata/main.py
@@ -1,8 +1,13 @@
+from django.http import HttpResponse
+
 def bad():
+  response = HttpResponse()
   # bearer:expected python_django_insecure_cookie
-  HttpResponse.set_cookie("foo", "bar", max_age=None, secure=False, httponly=False)
+  response.set_cookie("foo", "bar", max_age=None, secure=False, httponly=False)
 
 def ok(): 
-  HttpResponse.set_cookie("foo", "bar")
+  response = HttpResponse()
+
+  response.set_cookie("foo", "bar")
   # still bad but not for this rule
-  HttpResponse.set_cookie("foo", "bar", max_age=None, secure=True, httponly=False)
+  response.set_cookie("foo", "bar", max_age=None, secure=True, httponly=False)