Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(python/django): secure configuration failure (CWE-693) #429

Merged
merged 1 commit into from
Jun 3, 2024
Merged

feat(python/django): secure configuration failure (CWE-693) #429

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions rules/python/django/insecure_cookie_settings.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
patterns:
- pattern: SESSION_COOKIE_SECURE = $<FALSE>
filters:
- variable: "FALSE"
detection: python_django_insecure_cookie_settings_false
scope: result
- pattern: CSRF_COOKIE_SECURE = $<FALSE>
filters:
- variable: "FALSE"
detection: python_django_insecure_cookie_settings_false
scope: result
auxiliary:
- id: python_django_insecure_cookie_settings_false
patterns:
- "False"
languages:
- python
severity: medium
metadata:
description: Usage of insecure cookie settings
remediation_message: |
## Description

Using insecure cookie settings when configuring your application poses a significant security risk. If session (or CSRF) cookies are transmitted over an unencrypted HTTP connection, an attacker could capture a cookie and use this to hijack a user's session, thereby gaining unauthorized access to - potentially sensitive - data and resources.

To prevent this vulnerability, always enable to secure attributes for session and CSRF cookies in your settings.py file. This is especially important for production environments.

## Remediations

- **Do not** disable secure session cookies or CSRF cookies in production environments
```python
SESSION_COOKIE_SECURE = False # unsafe
CSRF_COOKIE_SECURE = False # unsafe
```
cwe_id:
- 693
id: python_django_insecure_cookie_settings
documentation_url: https://docs.bearer.com/reference/rules/python_django_insecure_cookie_settings
20 changes: 20 additions & 0 deletions tests/python/django/insecure_cookie_settings/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
const {
createNewInvoker,
getEnvironment,
} = require("../../../helper.js")
const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)

describe(ruleId, () => {
const invoke = createNewInvoker(ruleId, ruleFile, testBase)

test("insecure_cookie_settings", () => {
const testCase = "main.py"

const results = invoke(testCase)

expect(results).toEqual({
Missing: [],
Extra: []
})
})
})
8 changes: 8 additions & 0 deletions tests/python/django/insecure_cookie_settings/testdata/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# bearer:expected python_django_insecure_cookie_settings
SESSION_COOKIE_SECURE = False
# bearer:expected python_django_insecure_cookie_settings
CSRF_COOKIE_SECURE = False

# ok
SESSION_COOKIE_SECURE = TRUE
CSRF_COOKIE_SECURE = True
Loading