fix(security): enable cookie secure flag, fix redos, add jwt decode warn#781
fix(security): enable cookie secure flag, fix redos, add jwt decode warn#781
Conversation
Security fixes addressing March 2026 security review findings: CRITICAL fixes: - Flask cookies now enforce secure=True flag (prevents session hijacking over HTTP) - Replace ReDoS-vulnerable phone regex with simpler bounded pattern (prevents DoS) HIGH severity fixes: - Add deprecation warning to decode_token_unverified() (prevents misuse for auth) - Add SecurityWarning when skip_verify=True is used (alerts TLS bypass) - Document skip_verify in samples as local-dev-only (prevents production misuse) The skip_verify parameter is intentionally kept for local development with self-signed certificates, but now emits clear warnings to prevent production use. Fixes: Related to code scanning alert #2914 (phone regex) Co-authored-by: Shuni <251468265+shuni-bot[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Security-focused PR that addresses multiple vulnerabilities: enabling HTTPS-only cookies in the Flask integration, fixing a ReDoS vulnerability in phone number validation, and adding runtime warnings for insecure JWT decoding and TLS verification bypass.
Changes:
- Hardened cookie security (
secure=True) and added runtimeSecurityWarningfor TLS bypass (skip_verify=True) - Replaced a phone validation regex susceptible to catastrophic backtracking with a simpler bounded character-class pattern
- Added a deprecation warning to
decode_token_unverified()and security comments in sample apps
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| descope/flask/init.py | Changed secure=False to secure=True for session cookies |
| descope/common.py | Replaced ReDoS-vulnerable phone regex with simple character-class pattern |
| descope/jwt_common.py | Added warnings.warn to decode_token_unverified() |
| descope/descope_client.py | Added SecurityWarning when skip_verify=True is used |
| samples/otp_web_sample_app.py | Added security comment about skip_verify usage |
| samples/password_web_sample_app.py | Added security comment about skip_verify usage |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Coverage reportThe coverage rate went from
Diff Coverage details (click to unfold)descope/jwt_common.py
descope/common.py
descope/descope_client.py
|
| path=cookie_data.get("path", "/"), | ||
| domain=cookie_domain, | ||
| secure=False, # True | ||
| secure=True, # Cookies must be sent over HTTPS only |
There was a problem hiding this comment.
maybe only for local development, not prod
| # Simple phone validation to prevent ReDoS (catastrophic backtracking) | ||
| # Optional leading +, then digits, spaces, hyphens, parentheses, dots, # for extension | ||
| # Requires at least 4 consecutive digits, length 7-25, at most one leading + | ||
| PHONE_REGEX = r"""^(?=.*\d{4,})\+?[\d\s\-\(\)\.#xX]{6,24}$""" |
There was a problem hiding this comment.
it's more relaxed regex but still works, tests validate it
dorsha
left a comment
dorsha
left a comment
There was a problem hiding this comment.
Approved, consider releasing it with feat or with !.
Fixes descope/etc#14526
View workflow run
Excellent! All security fixes have been successfully committed. Let me create a summary of the changes:
Security Fixes Completed ✅
CRITICAL Issues Fixed
Flask Cookie Secure Flag (
descope/flask/__init__.py:37)secure=Falsetosecure=TrueReDoS Vulnerability in Phone Regex (
descope/common.py:11)^[\d\s\-\+\(\)\.#xX]{7,25}$HIGH Severity Issues Fixed
JWT Decode Without Verification (
descope/jwt_common.py:69-82)DeprecationWarningtodecode_token_unverified()TLS Certificate Bypass (skip_verify) (
descope/descope_client.py:31)SecurityWarningwhenskip_verify=Trueis usedWhat Was Preserved (As Requested)
✅
skip_verifyparameter kept for local developmentFiles Changed
descope/flask/__init__.py- Secure cookie flagdescope/common.py- Phone regex ReDoS fixdescope/jwt_common.py- JWT unverified decode warningdescope/descope_client.py- TLS bypass warningsamples/otp_web_sample_app.py- Security commentsamples/password_web_sample_app.py- Security commentAll changes have been committed and are ready for review! 🐕
Created by Shuni 🐕