Construction of a cookie using user-supplied input¶
ID: py/cookie-injectionKind: path-problemSecurity severity: 5.0Severity: warningPrecision: highTags: - security - external/cwe/cwe-020Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Click to see the query in the CodeQL repository
Constructing cookies from user input can allow an attacker to control a user’s cookie. This may lead to a session fixation attack. Additionally, client code may not expect a cookie to contain attacker-controlled data, and fail to sanitize it for common vulnerabilities such as Cross Site Scripting (XSS). An attacker manipulating the raw cookie header may additionally be able to set cookie attributes such asHttpOnly to insecure values.
Recommendation¶
Do not use raw user input to construct cookies.
Example¶
In the following cases, a cookie is constructed for a Flask response using user input. The first usesset_cookie, and the second sets a cookie’s raw value through theset-cookie header.
fromflaskimportrequest,make_response@app.route("/1")defset_cookie():resp=make_response()resp.set_cookie(request.args["name"],# BAD: User input is used to set the cookie's name and valuevalue=request.args["name"])returnresp@app.route("/2")defset_cookie_header():resp=make_response()resp.headers['Set-Cookie']=f"{request.args['name']}={request.args['name']};"# BAD: User input is used to set the raw cookie header.returnresp
References¶
Wikipedia -Session Fixation.
Common Weakness Enumeration:CWE-20.