| Dec | JAN | Feb |
| 06 | ||
| 2021 | 2022 | 2023 |
COLLECTED BY
Collection: github.com
rb/weak-cookie-configuration query
#7313
rb/weak-cookie-configuration query
#7313
alexrford
commented
|
This PR adds a query to check for potential weak cookie configuration options for Rails - in theory we could extend this to cover other frameworks. The defaults for Rails seem quite safe here, so we only look for cases where these defaults are overriden. In particular, we check for three settings in non-test configuration:
In the last of these, the option can also be set to a proc that can take a |
|
The text was updated successfully, but these errors were encountered: |
alexrford
added
the
Ruby
label
alexrford
requested a review
from
as a code owner
github-actions
bot
added
the
documentation
label
alexrford
force-pushed
the
ruby/rails-cookie-config
branch
from
b6cd9ae
to
3128380
alexrford
force-pushed
the
ruby/crypto-algorithms
branch
from
b80633a
to
0481385
alexrford
force-pushed
the
ruby/rails-cookie-config
branch
from
3128380
to
d69e5f1
nickrolfe
left a comment
Sorry, something went wrong.
ruby/change-notes/2021-12-06-weak-cookie-configuration.md Outdated| @@ -0,0 +1,2 @@ | |||
| lgtm,codescanning | |||
nickrolfe
ruby/ql/src/change-notes.
Sorry, something went wrong.
Contributor
dbartol
Sorry, something went wrong.
Contributor Author
alexrford
Sorry, something went wrong.
ruby/ql/lib/codeql/ruby/Concepts.qll Outdated Show resolved Hide resolved ruby/ql/lib/codeql/ruby/frameworks/Rails.qll Outdated| loc.getFile().getStem() = "test" | ||
| } | ||
|
|
||
| private DataFlow::Node getTransitiveReceiver(DataFlow::CallNode c) { |
nickrolfe
c.getReceiver+().
Sorry, something went wrong.
Contributor Author
alexrford
+/* relied on the result type being guaranteed to have a member predicate with the same name and result type, but this doesn't seem to be the case.
Sorry, something went wrong.
alexrford
mentioned this pull request
nickrolfe
left a comment
Sorry, something went wrong.
Contributor Author
alexrford
commented
|
I'll hold off on merging this until #7273 is in. |
Sorry, something went wrong.
alexrford
force-pushed
the
ruby/crypto-algorithms
branch
from
cb516f8
to
3da98ec
alexrford
requested review from
as code owners
Ruby: add CookieSecurityConfigurationSetting concept
8a3d1fe
Ruby: add rb/weak-cookie-configuration query
737f733
Ruby: Tidy Rails.qll to make adding new settings modeling easier
5ce6e63
Ruby: Model some Rails cookie configuration settings
8976469
Ruby: add some rb/weak-cookie-configuration tests
71c5711
Ruby: add a change note for rb/weak-cookie-configuration
db967bd
Ruby: fix import
2cd0215
behavior
Co-authored-by: Nick Rolfe " data-pjax="true" class="Lin k--secondary markdown-title" href="/web/20220106232937/https://github.com/github/codeql/pull/7313/commits/9821c4a06c87e291e1a49c96c1564b5750a3b9bb">Ruby: behaviour -> behavior
9821c4a
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
Ruby: remove unnecessary custom transitive version of getReceiver
d977e8a
Ruby: use new changenote format for rb/weak-cookie-configuration
7f01be7
Merge remote-tracking branch 'origin/main' into ruby/rails-cookie-config
7d3932d
alexrford
dismissed
nickrolfe’s stale review
via
7d3932d
alexrford
force-pushed
the
ruby/rails-cookie-config
branch
from
38822b6
to
7d3932d
alexrford
marked this pull request as draft
github-actions
bot
commented
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. Example
In the first example, the value of
In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
Sorry, something went wrong.
Contributor Author
alexrford
commented
|
Leaving a note-to-self to double check this, as the merge conflict resolution for |
Sorry, something went wrong.
Merge branch 'main' into ruby/rails-cookie-config
dadaf25
Contributor
github-actions
bot
commented
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. Example
In the first example, the value of
In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
Sorry, something went wrong.
behavior" data-pjax="true" class="Link--secondary markdown-title" href="/web/20220106232937/https://github.com/github/codeql/pull/7313/commits/36ea360b25234049e89099b3a3f776db39ae0a4f">Ruby: behaviour -> behavior
36ea360
Contributor
github-actions
bot
commented
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. Example
In the first example, the value of
In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
Sorry, something went wrong.
Ruby: formatting
712972c
Contributor
github-actions
bot
commented
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. Example
In the first example, the value of
In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
Sorry, something went wrong.
alexrford
marked this pull request as ready for review
tausbn
commented
|
It's not clear to me why this needs a review from the Python team. Am I missing something? |
Sorry, something went wrong.
alexrford
removed request for
alexrford
commented
Thanks for noticing this, the Python and JS review requests weren't necessary. They were left over from before the merge conflict was resolved (as this PR included changes to |
Sorry, something went wrong.
nickrolfe reviewed| } | ||
| } | ||
|
|
||
| private class LiteralSetting extends Setting { |
nickrolfe
Sorry, something went wrong.
Contributor Author
alexrford
Setting nodes to ones that correspond to a SetterMethodCall.
Sorry, something went wrong.
Ruby: Restrict Rails Setting nodes to SetterMethodCalls
da8c745
Contributor
github-actions
bot
commented
|
QHelp previews: ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.qhelpWeak cookie configurationCookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures. RecommendationModern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don't weaken the cookie configuration. Example
In the first example, the value of
In the second example, this option is instead set to module App
class Application < Rails::Application
# Sets default `Set-Cookie` `SameSite` attribute to `None`
config.action_dispatch.cookies_same_site_protection = :none
# Sets default `Set-Cookie` `SameSite` attribute to `Strict`
config.action_dispatch.cookies_same_site_protection = :strict
end
endReferences
|
Sorry, something went wrong.
nickrolfe approved these changes
nickrolfe
left a comment
Sorry, something went wrong.
alexrford
merged commit f935df9
into
main
alexrford
deleted the
ruby/rails-cookie-config
branch
Successfully merging this pull request may close these issues.
None yet
4 participants Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. ● © 2022 GitHub, Inc. ●Terms ●Privacy ●Security ●Status ●Docs ●Contact GitHub ●Pricing ●API ●Training ●Blog ●About You can’t perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
