Use Safe Parameters in flask Response set_cookie Call

[pixeebot]

This codemod sets the most secure parameters when Flask applications call set_cookie on a response object. Without these parameters, your Flask
application cookies may be vulnerable to being intercepted and used to gain access to sensitive data.

The changes from this codemod look like this:

  from flask import Flask, session, make_response
  app = Flask(__name__)
  @app.route('/')
    def index():
      resp = make_response('Custom Cookie Set')
    - resp.set_cookie('custom_cookie', 'value')
    + resp.set_cookie('custom_cookie', 'value', secure=True, httponly=True, samesite='Lax')
      return resp

More reading

• https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie
• https://owasp.org/www-community/controls/SecureCookieAttribute
• https://cwe.mitre.org/data/definitions/614

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:python/secure-flask-cookie

[pixeebot]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

[pixeebot]

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!

[pixeebot]

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.