Skip to content

Python: Split Insecure Cookie query into multiple queries #20494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Oct 24, 2025
Merged

Python: Split Insecure Cookie query into multiple queries #20494

merged 13 commits into from
Oct 24, 2025

Conversation

@joefarebrother
Copy link
Contributor

Splits the py/insecure-cookie query into py/insecure-cookie, py/client-exposed-cookie, and py/samesite-none-cookie.
This is closer to how these queries are handled in JS with js/clear-text-cookie, js/client-exposed-cookie, and js/samesite-none-cookie queries.

@joefarebrother joefarebrother requested a review from a team as a code owner September 19, 2025 14:32
Copilot AI review requested due to automatic review settings September 19, 2025 14:32
Copilot AI reviewed Sep 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR splits the existing py/insecure-cookie query into three separate, more focused queries to better align with JavaScript's cookie security query structure. The original query checked for multiple cookie security attributes in a single query, while the new approach separates concerns into distinct queries.

  • Refactors py/insecure-cookie to only check for missing Secure attribute
  • Creates new py/client-exposed-cookie query for missing HttpOnly attribute
  • Creates new py/samesite-none-cookie query for SameSite=None attribute issues

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated no comments.

Show a summary per file
File Description
python/ql/src/Security/CWE-614/InsecureCookie.ql Simplified to only check for missing Secure attribute
python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.ql New query for missing HttpOnly attribute
python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql New query for SameSite=None issues
python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py Updated test with inline expectations for new query behavior
python/ql/src/change-notes/2025-09-19-insecure-cookie.md Documents the query split changes
Comments suppressed due to low confidence (2)

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 19, 2025
View reviewed changes
@joefarebrother joefarebrother marked this pull request as draft September 19, 2025 21:41
@joefarebrother joefarebrother changed the title Python: Split Insecure Cookie query into multiple queries [Draft] Python: Split Insecure Cookie query into multiple queries Sep 19, 2025
@github-actions
Copy link
Contributor

QHelp previews:

python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.qhelp

Sensitive cookie missing HttpOnly attribute.

Cookies without the HttpOnly flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script. If a sensitive cookie does not need to be accessed directly by client-side JS, the HttpOnly flag should be set.

Recommendation

Set httponly to True, or add ; HttpOnly; to the cookie's raw header value, to ensure that the cookie is not accessible via JavaScript.

Example

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.

from flask import Flask, request, make_response, Response


@app.route("/good1")
def good1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
    return resp


@app.route("/good2")
def good2():
    resp = make_response()
    resp.headers['Set-Cookie'] = "sessionid=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
    return resp

@app.route("/bad1")
def bad1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
    return resp

References

python/ql/src/Security/CWE-1275/SameSiteNoneCookie.qhelp

Sensitive cookie with SameSite attribute set to None.

Cookies with the SameSite attribute set to 'None' will be sent with cross-origin requests. This can sometimes allow for Cross-Site Request Forgery (CSRF) attacks, in which a third-party site could perform actions on behalf of a user, if the cookie is used for authentication.

Recommendation

Set the samesite to Lax or Strict, or add ; SameSite=Lax;, or ; SameSite=Strict; to the cookie's raw header value. The default value in most cases is Lax.

Example

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.

from flask import Flask, request, make_response, Response


@app.route("/good1")
def good1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
    return resp


@app.route("/good2")
def good2():
    resp = make_response()
    resp.headers['Set-Cookie'] = "sessionid=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
    return resp

@app.route("/bad1")
def bad1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
    return resp

References

python/ql/src/Security/CWE-614/InsecureCookie.qhelp

Failure to use secure cookies

Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS. This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.

Recommendation

Always set secure to True, or add ; Secure; to the cookie's raw header value, to ensure SSL is used to transmit the cookie with encryption.

Example

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.

from flask import Flask, request, make_response, Response


@app.route("/good1")
def good1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
    return resp


@app.route("/good2")
def good2():
    resp = make_response()
    resp.headers['Set-Cookie'] = "sessionid=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
    return resp

@app.route("/bad1")
def bad1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
    return resp

References

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 23, 2025
View reviewed changes
@joefarebrother joefarebrother marked this pull request as ready for review September 24, 2025 10:12
@joefarebrother joefarebrother changed the title [Draft] Python: Split Insecure Cookie query into multiple queries Python: Split Insecure Cookie query into multiple queries Sep 24, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 25, 2025
View reviewed changes
python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.ql
Comment on lines +17 to +21
from Http::Server::CookieWrite cookie
where
cookie.hasHttpOnlyFlag(false) and
cookie.isSensitive()
select cookie, "Sensitive server cookie is set without HttpOnly flag."

Check warning

Code scanning / CodeQL

Consistent alert message Warning

The py/client-exposed-cookie query does not have the same alert message as js.
tausbn
tausbn approved these changes Oct 23, 2025
View reviewed changes
Copy link
Contributor

@tausbn tausbn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! The added documentation is especially nice. 👍

@joefarebrother joefarebrother merged commit 8c277bd into github:main Oct 24, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tausbn tausbn tausbn approved these changes

Assignees

No one assigned

Labels

documentation Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joefarebrother @tausbn