SONARPY-489 Rule S2092: Creating cookies without the "secure" flag is security-sensitive by andrea-guarino-sonarsource · Pull Request #548 · SonarSource/sonar-python

andrea-guarino-sonarsource · 2020-02-03T10:23:32Z

No description provided.

guillaume-dequenne · 2020-02-03T15:10:06Z

If I understood correctly, we won't cover this case at first, so I guess it might be worth updating the rule description.

guillaume-dequenne · 2020-02-03T15:17:00Z

This implementation seems to assume the secure flag will always be passed as a keyword argument, with a risk of FP if it's passed as a positional argument. I haven't checked for django but I believe it's possible to use positional arguments with flask at least.
Would you consider accounting for positional arguments as well to avoid those FP (maybe by doing something similar to PredictableSaltCheck) ?

Yes good point, I'll check for positional argument

guillaume-dequenne · 2020-02-03T15:20:24Z

I think you forgot to rename this variable.

Indeed, thanks! :)

guillaume-dequenne · 2020-02-03T15:31:04Z

Just a thought: do you think it would actually be feasible to raise on cases like:
cookie['c1'] = 'value' # FN
by checking whether the cookie symbol has another assignment usage with the same c1 subscript as well as a secure one?
Maybe it's not worth doing as I believe this is not the usual way to set cookies and it might be more complex to do than it looks, but I prefer mentioning it, feel free to disregard this!

That's a fair point. However I have the feeling that the value doesn't justify the extra complexity. I suggest to create a ticket to keep track of this FN.

Ticket created https://jira.sonarsource.com/browse/SONARPY-577

guillaume-dequenne

Just a comment about Optional#orElse, otherwise lgtm

guillaume-dequenne · 2020-02-04T08:38:55Z

Could you use Optional#orElseGet instead of orElse ? As the latter is always evaluated no matter whether the former is present or not.

good catch! thanks!

… security-sensitive

GitOrigin-RevId: 6f869848853e50be065ae5cb257c74c3691001d0

andrea-guarino-sonarsource changed the title ~~tmp~~ SOANRPY-489 Rule S2053: Hashes should include an unpredictable salt Feb 3, 2020

andrea-guarino-sonarsource force-pushed the SONARPY-489 branch from 16204c5 to 34be11e Compare February 3, 2020 11:02

andrea-guarino-sonarsource changed the title ~~SOANRPY-489 Rule S2053: Hashes should include an unpredictable salt~~ SONARPY-489 Rule S2053: Hashes should include an unpredictable salt Feb 3, 2020

andrea-guarino-sonarsource force-pushed the SONARPY-489 branch from 34be11e to d6f9167 Compare February 3, 2020 11:04

andrea-guarino-sonarsource changed the title ~~SONARPY-489 Rule S2053: Hashes should include an unpredictable salt~~ SONARPY-489 Rule S2092: Creating cookies without the "secure" flag is security-sensitive Feb 3, 2020

andrea-guarino-sonarsource force-pushed the SONARPY-489 branch from d6f9167 to 8594962 Compare February 3, 2020 11:06

guillaume-dequenne reviewed Feb 3, 2020

View reviewed changes

guillaume-dequenne approved these changes Feb 4, 2020

View reviewed changes

andreaguarino added 7 commits February 4, 2020 09:50

SONARPY-489 Rule S2092: Creating cookies without the "secure" flag is…

8616400

… security-sensitive

SONARPY-489 Support django.http.Response#set_cookie

50c8bbc

SONARPY-489 Support flask.Response#set_cookie

4e38ba9

check positional arguments

02a9041

Update RSPEC

38857f7

change variable name class symbol

38c5cf7

Fix after review

5879569

andrea-guarino-sonarsource force-pushed the SONARPY-489 branch from e426190 to 5879569 Compare February 4, 2020 08:53

andrea-guarino-sonarsource merged commit 8cfd979 into master Feb 4, 2020

andrea-guarino-sonarsource deleted the SONARPY-489 branch February 4, 2020 09:08

hashicorp-vault-sonar-prod Bot pushed a commit that referenced this pull request Oct 3, 2025

SONARPY-3296 Implement support for Langchain in S7693 (#548)

a257112

GitOrigin-RevId: 6f869848853e50be065ae5cb257c74c3691001d0

hashicorp-vault-sonar-prod Bot pushed a commit that referenced this pull request Oct 15, 2025

SONARPY-3296 Implement support for Langchain in S7693 (#548)

715304f

GitOrigin-RevId: 6f869848853e50be065ae5cb257c74c3691001d0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SONARPY-489 Rule S2092: Creating cookies without the "secure" flag is security-sensitive#548

SONARPY-489 Rule S2092: Creating cookies without the "secure" flag is security-sensitive#548
andrea-guarino-sonarsource merged 7 commits into
masterfrom
SONARPY-489

andrea-guarino-sonarsource commented Feb 3, 2020

Uh oh!

guillaume-dequenne Feb 3, 2020

Uh oh!

guillaume-dequenne Feb 3, 2020

Uh oh!

andrea-guarino-sonarsource Feb 3, 2020

Uh oh!

guillaume-dequenne Feb 3, 2020

Uh oh!

andrea-guarino-sonarsource Feb 3, 2020

Uh oh!

guillaume-dequenne Feb 3, 2020

Uh oh!

andrea-guarino-sonarsource Feb 3, 2020

Uh oh!

andrea-guarino-sonarsource Feb 3, 2020

Uh oh!

guillaume-dequenne left a comment

Uh oh!

guillaume-dequenne Feb 4, 2020

Uh oh!

andrea-guarino-sonarsource Feb 4, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

andrea-guarino-sonarsource commented Feb 3, 2020

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

guillaume-dequenne left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants