Construction of a cookie using user-supplied input — CodeQL query help documentation CodeQL docs

CodeQL resources

Construction of a cookie using user-supplied input¶

ID: py/cookie-injection
Kind: path-problem
Security severity: 5.0
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-020
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Constructing cookies from user input can allow an attacker to control a user’s cookie. This may lead to a session fixation attack. Additionally, client code may not expect a cookie to contain attacker-controlled data, and fail to sanitize it for common vulnerabilities such as Cross Site Scripting (XSS). An attacker manipulating the raw cookie header may additionally be able to set cookie attributes such as HttpOnly to insecure values.

Recommendation¶

Do not use raw user input to construct cookies.

Example¶

In the following cases, a cookie is constructed for a Flask response using user input. The first uses set_cookie, and the second sets a cookie’s raw value through the set-cookie header.

from flask import request, make_response


@app.route("/1")
def set_cookie():
    resp = make_response()
    resp.set_cookie(request.args["name"], # BAD: User input is used to set the cookie's name and value
                    value=request.args["name"])
    return resp


@app.route("/2")
def set_cookie_header():
    resp = make_response()
    resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['name']};" # BAD: User input is used to set the raw cookie header.
    return resp

References¶

Wikipedia - Session Fixation.
Common Weakness Enumeration: CWE-20.

© GitHub, Inc.
Terms
Privacy