fix(session): fixation rotation, Secure-cookie auto-detect, Redis allowlist + tests (v26.06.13)#39
Merged
Merged
Conversation
…edis allowlist + tests + bump v26.06.13 Completes the session-hardening follow-up deferred from v26.06.12 (surfaced by the implement-security adversarial audit). The session subsystem was previously untested. - Session fixation: HttpSession.rotate_id() (preserves data, records previous_id); SessionFilter migrates the store entry + re-issues the cookie under the new id; OAuth2 login rotates on successful authentication. - Cookie Secure auto-set when the request is HTTPS (honors X-Forwarded-Proto), even if not explicitly configured — hardens prod without breaking HTTP dev. - RedisSessionStore: rehydration restricted to an allowlist (SecurityContext pre-registered; allow_session_type() to opt in custom types) — closes the arbitrary-object instantiation gadget. - New tests/session suite (16): HttpSession+rotation, InMemory store+TTL, filter (new/existing/invalidate/rotation/secure auto-detect), Redis round-trip + gadget guard. Gates: mypy --strict (607), ruff + format, full suite 3661 passed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Completes the session-hardening follow-up deferred from v26.06.12 (surfaced by the
implement-securityadversarial audit). Thesrc/pyfly/session/subsystem was previously untested — this PR adds its first test suite alongside the fixes.Fixes
PYFLY_SESSIONid could ride the authenticated session. NewHttpSession.rotate_id()(preserves data, recordsprevious_id);SessionFilterdeletes the pre-rotation store entry and re-issues the cookie under the new id; the OAuth2 login flow callsrotate_id()on successful login.Secureauto-detect.SessionFilternow sets the cookieSecurewhen the request arrives over HTTPS (honoringX-Forwarded-Proto) even when not explicitly configured — hardens production without breaking plain-HTTP local dev.RedisSessionStore._json_object_hookrehydrated any tagged type viaimportlib+obj(**payload). Rehydration is now restricted to an allowlist (SecurityContextpre-registered); non-allowlisted tags return a plain dict. Apps opt custom dataclasses in viaallow_session_type().Added
tests/session/test_session_subsystem.py(16 tests):HttpSessionincl. rotation;InMemorySessionStoreincl. TTL expiry;SessionFilter(new / existing / invalidate / rotation migrates store + cookie / Secure over HTTPS + forwarded-proto);RedisSessionStore(SecurityContext round-trip + a tripwire test proving a non-allowlisted tag is never instantiated).Gates
mypy --strict(607) ✓ ·ruff+ruff format✓ · full suite 3661 passed, 1 skipped.Bumps
v26.06.12 → v26.06.13, CHANGELOG,uv.locksynced. Closes the session items tracked after v26.06.12.