cookie-missing-samesite-java (#68)

ESS-ENN · Sakshis · web-flow · commit b404bf254535 · 2024-12-12T12:18:38.000+05:30
Co-authored-by: Sakshis &lt;sakshil@abc.com&gt;
diff --git a/rules/java/security/cookie-missing-samesite-java.yml b/rules/java/security/cookie-missing-samesite-java.yml
@@ -0,0 +1,68 @@
+id: cookie-missing-samesite-java
+severity: warning
+language: java
+message: >-
+  The application does not appear to verify inbound requests which can
+  lead to a Cross-site request forgery (CSRF) vulnerability. If the
+  application uses cookie-based authentication, an attacker can trick users
+  into sending authenticated HTTP requests without their knowledge from any
+  arbitrary domain they visit. To prevent this vulnerability start by
+  identifying if the framework or library leveraged has built-in features or
+  offers plugins for CSRF protection. CSRF tokens should be unique and
+  securely random. The `Synchronizer Token` or `Double Submit Cookie`
+  patterns with defense-in-depth mechanisms such as the `sameSite` cookie
+  flag can help prevent CSRF. For more information, see: [Cross-site request
+  forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Req\
+  uest_Forgery_Prevention_Cheat_Sheet.html).
+note: >-
+  [CWE-352] Cross-Site Request Forgery (CSRF).
+  [REFERENCES]
+      - https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application
+rule:
+  any:
+    - pattern: $RESP.setHeader("Set-Cookie", $T);
+      inside:
+        stopBy: end
+        kind: block 
+        follows: 
+          stopBy: end
+          kind: formal_parameters
+          has:
+            stopBy: end
+            kind: formal_parameter
+            all:
+              - has:
+                  stopBy: end
+                  kind: type_identifier
+                  regex: '^HttpServletResponse$'
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+    - pattern: $RESP.addCookie($$$);
+      not:
+        follows:
+          stopBy: end
+          kind: expression_statement
+          pattern: $RESP.setHeader("Set-Cookie", $T);
+          inside:
+           stopBy: end
+           kind: block   
+           follows: 
+             stopBy: end
+             kind: formal_parameters
+             has:
+              stopBy: end
+              kind: formal_parameter
+              all:
+              - has:
+                  stopBy: end
+                  kind: type_identifier
+                  regex: '^HttpServletResponse$'
+              - has:
+                  stopBy: neighbor
+                  kind: identifier     
+    - pattern: $RESP.setHeader("Set-Cookie");
+constraints:
+  T:
+    not:
+      regex: ".*SameSite=.*"
diff --git a/tests/__snapshots__/cookie-missing-samesite-java-snapshot.yml b/tests/__snapshots__/cookie-missing-samesite-java-snapshot.yml
@@ -0,0 +1,19 @@
+id: cookie-missing-samesite-java
+snapshots:
+  ? |
+    @RequestMapping(value = "/cookie3", method = "GET")
+    public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) {
+       Cookie cookie = new Cookie("cookie", value);
+       cookie.setSecure(true);
+       cookie.setHttpOnly(true);
+       response.addCookie(cookie);
+    }
+    @RequestMapping(value = "/cookie2", method = "GET")
+    public void setSecureCookie(@RequestParam String value, HttpServletResponse response) {
+       response.setHeader("Set-Cookie", "key=value; HttpOnly;");
+    }
+  : labels:
+    - source: response.addCookie(cookie);
+      style: primary
+      start: 255
+      end: 282
diff --git a/tests/java/cookie-missing-samesite-java-test.yml b/tests/java/cookie-missing-samesite-java-test.yml
@@ -0,0 +1,20 @@
+id: cookie-missing-samesite-java
+valid:
+  - |
+     @RequestMapping(value = "/cookie1", method = "GET")
+     public void setCookie(@RequestParam String value, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", "key=value; HttpOnly; SameSite=strict");
+     }
+invalid:
+  - |
+     @RequestMapping(value = "/cookie3", method = "GET")
+     public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(true);
+        cookie.setHttpOnly(true);
+        response.addCookie(cookie);
+     }
+     @RequestMapping(value = "/cookie2", method = "GET")
+     public void setSecureCookie(@RequestParam String value, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", "key=value; HttpOnly;");
+     }
