Fix code scanning alert - Construction of a cookie using user-supplied input

[rtibbles]

We should validate the format of the visitor_id cookie before setting it, to ensure we're not storing arbitrary user supplied data.

Tracking issue for:

• https://github.com/learningequality/kolibri/security/code-scanning/55

[KumarVivekPathak]

I would like to work on this issue Can i get more details about this?

[rtibbles]

Here, we should do some simple validation on the visitor_id cookie value:

kolibri/kolibri/core/auth/api.py

Line 1049 in 0b44855

if not request.COOKIES.get("visitor_id"):

This should be as simple as ensuring it is a valid hex UUID - this can either be accomplished using a regex, or just trying to turn it into a Python UUID and catching if it fails.

In the case that the validation fails, that means this is not a visitor_id value generated by Kolibri, so we should generate a new one. This doesn't completely resolve the security alert, but limits its impact.

[rtibbles]

Please let me know if you have any further questions.

[KumarVivekPathak]

@rtibbles Please review the PR and Please tell if anything left.

[LianaHarris360]

Hi @KumarVivekPathak, reviewers have been assigned to your open pull request, and it will be reviewed when possible. Thank you for your work on this!