-
Notifications
You must be signed in to change notification settings - Fork 399
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'develop' into fix-run-as-non-root-security-context-pod-…
…level
- Loading branch information
Showing
12 changed files
with
173 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
39 changes: 39 additions & 0 deletions
39
python/flask/security/audit/flask-cors-misconfiguration.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
from flask import Flask, jsonify | ||
from flask_cors import CORS, cross_origin | ||
|
||
app = Flask(__name__) | ||
|
||
# Enable global CORS for all origins and allow credentials | ||
# ruleid: flask-cors-misconfiguration | ||
CORS(app, supports_credentials=True, origins="*") | ||
|
||
# Enable global CORS for all origins and allow credentials using "resources" dictionary | ||
# ruleid: flask-cors-misconfiguration | ||
cors = CORS(app, resources={ | ||
r"/*": {"origins": "*", "supports_credentials": True}}) | ||
|
||
|
||
@app.route('/data', methods=['GET']) | ||
def get_data(): | ||
# This route uses the global CORS configuration | ||
return jsonify({"message": "CORS is enabled for all origins with credentials support (global config)!"}) | ||
|
||
|
||
@app.route('/special-data', methods=['GET']) | ||
# CORS applied only to this route | ||
# ruleid: flask-cors-misconfiguration | ||
@cross_origin(supports_credentials=True, origins="*") | ||
def get_special_data(): | ||
# This route uses the CORS decorator for route-specific CORS settings | ||
return jsonify({"message": "CORS is enabled with credentials (route-specific config)!"}) | ||
|
||
|
||
@app.route('/safe-route', methods=['GET']) | ||
# ok: flask-cors-misconfiguration | ||
@cross_origin(supports_credentials=True, origins=["https://foo.com", "https://bar.com"]) | ||
def safe_route(): | ||
return jsonify({"message": "CORS is enabled only for specific origins!"}) | ||
|
||
|
||
if __name__ == '__main__': | ||
app.run() |
36 changes: 36 additions & 0 deletions
36
python/flask/security/audit/flask-cors-misconfiguration.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
rules: | ||
- id: flask-cors-misconfiguration | ||
message: >- | ||
Setting 'support_credentials=True' together with 'origin="*"' is a CORS | ||
misconfiguration that can allow third party origins to read sensitive | ||
data. Using this configuration, flask_cors will dynamically reflects the | ||
Origin of each request in the Access-Control-Allow-Origin header, allowing | ||
all origins and allowing cookies and credentials to be sent along with | ||
request. It is recommended to specify allowed origins instead of using "*" | ||
when setting 'support_credentials=True'. | ||
languages: | ||
- python | ||
severity: WARNING | ||
patterns: | ||
- pattern-either: | ||
- pattern: | | ||
@cross_origin(..., origins="*", supports_credentials=True, ...) | ||
- pattern: | | ||
CORS(..., supports_credentials=True, origins="*", ...) | ||
- pattern: | | ||
CORS(..., resources={"...": {...,"origins": "*", | ||
"supports_credentials": True,...}}) | ||
metadata: | ||
category: security | ||
subcategory: | ||
- audit | ||
cwe: | ||
- "CWE 942: Permissive Cross-domain Policy with Untrusted Domains" | ||
confidence: HIGH | ||
likelihood: LOW | ||
impact: HIGH | ||
technology: | ||
- flask | ||
references: | ||
- https://pypi.org/project/Flask-Cors/ | ||
- https://flask-cors.readthedocs.io/en/latest/index.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
import uuid | ||
def example_1(): | ||
# ruleid:insecure-uuid-version | ||
uuid = uuid.uuid1() | ||
|
||
from uuid import uuid1 | ||
def example_2(): | ||
# ruleid:insecure-uuid-version | ||
uuid = uuid1() | ||
|
||
from uuid import * | ||
def example_3(): | ||
# ruleid:insecure-uuid-version | ||
uuid = uuid1() | ||
|
||
import uuid | ||
def unrelated_function(): | ||
# ok:insecure-uuid-version | ||
uuid = uuid4() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
rules: | ||
- id: insecure-uuid-version | ||
patterns: | ||
- pattern: uuid.uuid1(...) | ||
message: >- | ||
Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security. | ||
metadata: | ||
references: | ||
- https://www.landh.tech/blog/20230811-sandwich-attack/ | ||
cwe: | ||
- 'CWE-330: Use of Insufficiently Random Values' | ||
owasp: | ||
- A02:2021 - Cryptographic Failures | ||
asvs: | ||
section: V6 Stored Cryptography Verification Requirements | ||
control_id: 6.3.2 Insecure UUID Generation | ||
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values | ||
version: '4' | ||
category: security | ||
technology: | ||
- python | ||
subcategory: | ||
- audit | ||
likelihood: LOW | ||
impact: MEDIUM | ||
confidence: MEDIUM | ||
languages: | ||
- python | ||
severity: WARNING | ||
fix-regex: | ||
regex: uuid1 | ||
replacement: uuid4 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters