From b9b31f0aa22006372ac9156c641c356b04c0b218 Mon Sep 17 00:00:00 2001
From: elsapet <elizabeth@bearer.sh>
Date: Fri, 7 Jun 2024 09:12:49 +0200
Subject: [PATCH] fixup: cookies

---
 .../django/cookie_missing_http_only.yml       | 25 ++++++++++++++++---
 rules/python/django/cookie_missing_secure.yml | 25 ++++++++++++++++---
 2 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/rules/python/django/cookie_missing_http_only.yml b/rules/python/django/cookie_missing_http_only.yml
index eb89b8f1..67085161 100644
--- a/rules/python/django/cookie_missing_http_only.yml
+++ b/rules/python/django/cookie_missing_http_only.yml
@@ -1,5 +1,7 @@
 imports:
   - python_shared_django_http_response
+  - python_shared_lang_import2
+  - python_shared_lang_instance
 patterns:
   - pattern: $<SET_COOKIE>
     filters:
@@ -13,11 +15,26 @@ patterns:
 auxiliary:
   - id: python_django_cookie_missing_http_only_set_cookie_call
     patterns:
-      - pattern: $<RESPONSE>.set_cookie($<...>)
+      - pattern: $<CALLER>.set_cookie($<...>)
         filters:
-          - variable: RESPONSE
-            detection: python_shared_django_http_response
-            scope: cursor
+          - either: 
+            - variable: CALLER
+              detection: python_shared_django_http_response
+              scope: cursor
+            - variable: CALLER
+              detection: python_shared_lang_instance
+              scope: cursor
+              filters:
+                - variable: CLASS
+                  detection: python_shared_lang_import2
+                  scope: cursor
+                  filters:
+                    - variable: MODULE1
+                      values: [django]
+                    - variable: MODULE2
+                      values: [shortcuts]
+                    - variable: NAME
+                      values: [render]
   - id: python_django_cookie_missing_http_only_set_cookie_http_only
     patterns:
       - pattern: $<_>($<...>httponly=$<TRUE>)
diff --git a/rules/python/django/cookie_missing_secure.yml b/rules/python/django/cookie_missing_secure.yml
index ad206f04..2c397934 100644
--- a/rules/python/django/cookie_missing_secure.yml
+++ b/rules/python/django/cookie_missing_secure.yml
@@ -1,5 +1,7 @@
 imports:
   - python_shared_django_http_response
+  - python_shared_lang_instance
+  - python_shared_lang_import2
 patterns:
   - pattern: $<SET_COOKIE>
     filters:
@@ -13,11 +15,26 @@ patterns:
 auxiliary:
   - id: python_django_cookie_missing_secure_set_cookie_call
     patterns:
-      - pattern: $<RESPONSE>.set_cookie($<...>)
+      - pattern: $<CALLER>.set_cookie($<...>)
         filters:
-          - variable: RESPONSE
-            detection: python_shared_django_http_response
-            scope: cursor
+          - either:
+              - variable: CALLER
+                detection: python_shared_django_http_response
+                scope: cursor
+              - variable: CALLER
+                detection: python_shared_lang_instance
+                scope: cursor
+                filters:
+                  - variable: CLASS
+                    detection: python_shared_lang_import2
+                    scope: cursor
+                    filters:
+                      - variable: MODULE1
+                        values: [django]
+                      - variable: MODULE2
+                        values: [shortcuts]
+                      - variable: NAME
+                        values: [render]
   - id: python_django_cookie_missing_secure_set_cookie_secure
     patterns:
       - pattern: $<_>($<...>secure=$<TRUE>)