asf-tooling opened a new issue, #1105:
URL: https://github.com/apache/tooling-trusted-releases/issues/1105
**ASVS Level(s):** L2-only
**Description:**
### Summary
The `util.write_quart_session_cookie()` function is called during the
request lifecycle but its source code is not included in the audit scope. If
this function uses `response.set_cookie()` directly rather than
`quart.session`, it must explicitly pass `httponly=True` to maintain
compliance. If it writes to `quart.session`, the framework-level
`SESSION_COOKIE_HTTPONLY` config is automatically applied. If
`write_quart_session_cookie` bypasses Quart's session framework and does not
set HttpOnly, the session cookie would be accessible to client-side JavaScript,
enabling session hijacking via XSS.
### Details
The issue exists in `atr/server.py` lines 316-319 (function call) and
`atr/util.py` (function implementation - unknown line, not in audit scope).
### Recommended Remediation
Verify that `atr/util.py::write_quart_session_cookie()` either:
**Option A (Preferred):** Uses `quart.session` (inherits HttpOnly from
config):
```python
async def write_quart_session_cookie(session_data: dict):
"""Write session data using Quart's session framework."""
# This inherits SESSION_COOKIE_HTTPONLY=True from config
quart.session[cookie_id] = session_data
```
**Option B:** If using `response.set_cookie()` directly, explicitly sets
`httponly=True`:
```python
async def write_quart_session_cookie(response: quart.Response, session_data:
dict):
"""Write session cookie with explicit HttpOnly flag."""
response.set_cookie(
key='session',
value=serialize_session(session_data),
httponly=True, # Explicit HttpOnly
secure=True, # HTTPS only
samesite='Strict', # CSRF protection
path='/',
max_age=SESSION_MAX_AGE
)
```
### Acceptance Criteria
- [ ] Source code of write_quart_session_cookie() reviewed
- [ ] Function uses quart.session OR explicitly sets httponly=True
- [ ] Unit tests verify HttpOnly flag is set
- [ ] Integration tests verify session cookie has HttpOnly attribute
- [ ] Manual testing confirms cookie is not accessible to JavaScript
- [ ] Documentation updated with session cookie implementation details
### References
- Source reports: L2:3.3.4.md
- Related findings: None
- ASVS sections: 3.3.4
- CWE: CWE-1004
### Priority
Low
---
---
**Triage notes:** very-low
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
