New Published Rules - innopolis.flask-insecure-set_cookie

innopolis/flask-insecure-set_cookie.py

@@ -0,0 +1,23 @@
+        import flask
+        from flask import response as r
+
+        app = flask.Flask()
+
+        @app.route("/index")
+        def index():
+            resp = r.set_cookie("username","DrewDennison")
+            return resp
+
+        @app.route("/semper")
+        def semper():
+            resp = r.set_cookie("cartTotal",
+                generate_cookie_value("DrewDennison"),
+                secure=False)
+            return resp
+
+        @app.route("/admin")
+        def admin():
+            # this cookie is secure
+            resp = r.set_cookie("user—rights", "admin", secure=True,
+            httponly=True, samesite="Lax")
+            return resp

innopolis/flask-insecure-set_cookie.yaml

@@ -0,0 +1,24 @@
+rules:
+- id: flask-insecure-set_cookie
+  languages:
+  - python
+  message: secure and httponly flags are false by default, therefore cookie will be
+    available in HTTP and in javascript.
+  patterns:
+  - pattern: '... .set_cookie(...)'
+  - pattern-not: '... .set_cookie(..., secure=True, ..., httponly=True, ...)'
+  severity: WARNING
+  metadata:
+    category: security
+    subcategory:
+    - vuln
+    cwe:
+    - 'CWE 1004: Sensitive Cookie Without ''HttpOnly'' Flag'
+    - 'CWE 614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute'
+    confidence: LOW
+    likelihood: LOW
+    technology:
+    - flask
+    impact: MEDIUM
+    references:
+    - https://www.easydevguide.com/posts/flask_cookie_security