Ruby: Add rb/weak-cookie-configuration query
#7313
Conversation
Very nice!
| @@ -0,0 +1,2 @@ | |||
| lgtm,codescanning | |||
There was a problem hiding this comment.
The new guidance in #7400 suggests this changenote should go in ruby/ql/src/change-notes.
There was a problem hiding this comment.
Indeed. Also, note the new format for the metadata at the top of the change note.
There was a problem hiding this comment.
Hopefully in the correct format now.
| loc.getFile().getStem() = "test" | ||
| } | ||
|
|
||
| private DataFlow::Node getTransitiveReceiver(DataFlow::CallNode c) { |
There was a problem hiding this comment.
I think this predicate is equivalent to c.getReceiver+().
There was a problem hiding this comment.
Nice! For some reason I thought that +/* relied on the result type being guaranteed to have a member predicate with the same name and result type, but this doesn't seem to be the case.
|
I'll hold off on merging this until #7273 is in. |
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. ExampleIn the first example, the value of In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
|
Leaving a note-to-self to double check this, as the merge conflict resolution for |
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. ExampleIn the first example, the value of In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. ExampleIn the first example, the value of In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. ExampleIn the first example, the value of In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
|
It's not clear to me why this needs a review from the Python team. Am I missing something? |
Thanks for noticing this, the Python and JS review requests weren't necessary. They were left over from before the merge conflict was resolved (as this PR included changes to |
| } | ||
| } | ||
|
|
||
| private class LiteralSetting extends Setting { |
There was a problem hiding this comment.
I noticed some results for this class are actually reads, not writes. For example: https://github.com/gitlabhq/gitlabhq/blob/6d29831123c8c806dc75d64e29b7691576cbea7f/lib/gitlab/database.rb#L187
It's a private class, and the way it gets used with specific setter method names means it should be ok, but I wonder if we should save ourselves some headaches for future uses, either by restricting the class more, or adding a note in a comment.
There was a problem hiding this comment.
Definitely makes sense to restrict these classes further - I've restricted Setting nodes to ones that correspond to a SetterMethodCall.
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. ExampleIn the first example, the value of In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
This PR adds a query to check for potential weak cookie configuration options for Rails - in theory we could extend this to cover other frameworks.
The defaults for Rails seem quite safe here, so we only look for cases where these defaults are overriden. In particular, we check for three settings in non-test configuration:
config.action_dispatch.encrypted_cookie_cipherset to a cipher that we believe to be weakconfig.action_dispatch.use_authenticated_cookie_encryptionset to falseconfig.action_dispatch.cookies_same_site_protectionset to either:none/"none"/etc. ornilIn the last of these, the option can also be set to a proc that can take a
requestand behave differently depending on this request - this PR doesn't cover that case.The text was updated successfully, but these errors were encountered: