fix(ui): mint the demo cookie without reading client input (CodeQL)#28
Merged
Conversation
CodeQL flagged "construction of a cookie using user-supplied input" on the demo-mode session cookie. The previous demo_session() returned a tuple (existing_cookie, fresh_token); CodeQL's tuple-taint tracking conflated the two and treated the freshly minted token as tainted, even though set_cookie only ever writes the minted secret. Replace it with mint_demo_cookie(), which checks only whether the cookie is present (never reads its value) and returns a fresh secrets token or None. The client's cookie value is now used solely as the in-memory quota key and never flows to Set-Cookie. Add a regression test asserting the cookie is server-minted and never reflected. https://claude.ai/code/session_01F6oNAiyr3AfD5dsZ7G2Vy4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #25.
CodeQL kept flagging "construction of a cookie using user-supplied input" on the
demo-mode session cookie (
webui.py). The previousdemo_session()returned a tuple(existing_cookie, fresh_token), and CodeQL's tuple-taint tracking conflated the two —treating the freshly minted token as tainted even though
set_cookieonly ever writesthe minted secret (a behavioural false positive, since the client value was only used
as the in-memory quota key).
Fix: replace it with
mint_demo_cookie(request), which checks only whether thecookie is present (never reads its value) and returns a fresh
secretstoken orNone. The client's cookie value is now used solely as the quota key and never flowsinto a
Set-Cookieheader, so there is no request→cookie dataflow for CodeQL to follow.never reflected back when the client sends a crafted value.
ruff/mypy/ 14 web-UI tests pass.https://claude.ai/code/session_01F6oNAiyr3AfD5dsZ7G2Vy4
Generated by Claude Code