fixup: cookies

Bearer · Jun 7, 2024 · b9b31f0 · b9b31f0
1 parent 97cfee4
commit b9b31f0
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 8 deletions.
diff --git a/rules/python/django/cookie_missing_http_only.yml b/rules/python/django/cookie_missing_http_only.yml
@@ -1,5 +1,7 @@
 imports:
   - python_shared_django_http_response
+  - python_shared_lang_import2
+  - python_shared_lang_instance
 patterns:
   - pattern: $<SET_COOKIE>
     filters:
@@ -13,11 +15,26 @@ patterns:
 auxiliary:
   - id: python_django_cookie_missing_http_only_set_cookie_call
     patterns:
-      - pattern: $<RESPONSE>.set_cookie($<...>)
+      - pattern: $<CALLER>.set_cookie($<...>)
         filters:
-          - variable: RESPONSE
-            detection: python_shared_django_http_response
-            scope: cursor
+          - either: 
+            - variable: CALLER
+              detection: python_shared_django_http_response
+              scope: cursor
+            - variable: CALLER
+              detection: python_shared_lang_instance
+              scope: cursor
+              filters:
+                - variable: CLASS
+                  detection: python_shared_lang_import2
+                  scope: cursor
+                  filters:
+                    - variable: MODULE1
+                      values: [django]
+                    - variable: MODULE2
+                      values: [shortcuts]
+                    - variable: NAME
+                      values: [render]
   - id: python_django_cookie_missing_http_only_set_cookie_http_only
     patterns:
       - pattern: $<_>($<...>httponly=$<TRUE>)

diff --git a/rules/python/django/cookie_missing_secure.yml b/rules/python/django/cookie_missing_secure.yml
@@ -1,5 +1,7 @@
 imports:
   - python_shared_django_http_response
+  - python_shared_lang_instance
+  - python_shared_lang_import2
 patterns:
   - pattern: $<SET_COOKIE>
     filters:
@@ -13,11 +15,26 @@ patterns:
 auxiliary:
   - id: python_django_cookie_missing_secure_set_cookie_call
     patterns:
-      - pattern: $<RESPONSE>.set_cookie($<...>)
+      - pattern: $<CALLER>.set_cookie($<...>)
         filters:
-          - variable: RESPONSE
-            detection: python_shared_django_http_response
-            scope: cursor
+          - either:
+              - variable: CALLER
+                detection: python_shared_django_http_response
+                scope: cursor
+              - variable: CALLER
+                detection: python_shared_lang_instance
+                scope: cursor
+                filters:
+                  - variable: CLASS
+                    detection: python_shared_lang_import2
+                    scope: cursor
+                    filters:
+                      - variable: MODULE1
+                        values: [django]
+                      - variable: MODULE2
+                        values: [shortcuts]
+                      - variable: NAME
+                        values: [render]
   - id: python_django_cookie_missing_secure_set_cookie_secure
     patterns:
       - pattern: $<_>($<...>secure=$<TRUE>)