From 699fb050ccd67fa409586085ff8c9bec657b9cda Mon Sep 17 00:00:00 2001 From: elsapet Date: Thu, 30 May 2024 15:35:57 +0200 Subject: [PATCH] feat(pyython/django): secure configuration failure (CWE-693) --- .../django/insecure_cookie_settings.yml | 38 +++++++++++++++++++ .../django/insecure_cookie_settings/test.js | 20 ++++++++++ .../insecure_cookie_settings/testdata/main.py | 8 ++++ 3 files changed, 66 insertions(+) create mode 100644 rules/python/django/insecure_cookie_settings.yml create mode 100644 tests/python/django/insecure_cookie_settings/test.js create mode 100644 tests/python/django/insecure_cookie_settings/testdata/main.py diff --git a/rules/python/django/insecure_cookie_settings.yml b/rules/python/django/insecure_cookie_settings.yml new file mode 100644 index 00000000..05af774e --- /dev/null +++ b/rules/python/django/insecure_cookie_settings.yml @@ -0,0 +1,38 @@ +patterns: + - pattern: SESSION_COOKIE_SECURE = $ + filters: + - variable: "FALSE" + detection: python_django_insecure_cookie_settings_false + scope: result + - pattern: CSRF_COOKIE_SECURE = $ + filters: + - variable: "FALSE" + detection: python_django_insecure_cookie_settings_false + scope: result +auxiliary: + - id: python_django_insecure_cookie_settings_false + patterns: + - "False" +languages: + - python +severity: medium +metadata: + description: Usage of insecure cookie settings + remediation_message: | + ## Description + + Using insecure cookie settings when configuring your application poses a significant security risk. If session (or CSRF) cookies are transmitted over an unencrypted HTTP connection, an attacker could capture a cookie and use this to hijack a user's session, thereby gaining unauthorized access to - potentially sensitive - data and resources. + + To prevent this vulnerability, always enable to secure attributes for session and CSRF cookies in your settings.py file. This is especially important for production environments. + + ## Remediations + + - **Do not** disable secure session cookies or CSRF cookies in production environments + ```python + SESSION_COOKIE_SECURE = False # unsafe + CSRF_COOKIE_SECURE = False # unsafe + ``` + cwe_id: + - 693 + id: python_django_insecure_cookie_settings + documentation_url: https://docs.bearer.com/reference/rules/python_django_insecure_cookie_settings diff --git a/tests/python/django/insecure_cookie_settings/test.js b/tests/python/django/insecure_cookie_settings/test.js new file mode 100644 index 00000000..1c5f7eac --- /dev/null +++ b/tests/python/django/insecure_cookie_settings/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("insecure_cookie_settings", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/django/insecure_cookie_settings/testdata/main.py b/tests/python/django/insecure_cookie_settings/testdata/main.py new file mode 100644 index 00000000..8d8dfa98 --- /dev/null +++ b/tests/python/django/insecure_cookie_settings/testdata/main.py @@ -0,0 +1,8 @@ + # bearer:expected python_django_insecure_cookie_settings +SESSION_COOKIE_SECURE = False +# bearer:expected python_django_insecure_cookie_settings +CSRF_COOKIE_SECURE = False + +# ok +SESSION_COOKIE_SECURE = TRUE +CSRF_COOKIE_SECURE = True \ No newline at end of file