Skip to content

Commit b5d26b3

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add security rules for cookie handling in Java applications (#67)
* missing-secure-java * cookie-httponly-false-java --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent b404bf2 commit b5d26b3

6 files changed

+166
-0
lines changed

rules/java/security/cookie-httponly-false-java.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: cookie-httponly-false-java
2+
language: java
3+
message: >-
4+
A cookie was detected without setting the 'HttpOnly' flag. The
5+
'HttpOnly' flag for cookies instructs the browser to forbid client-side
6+
scripts from reading the cookie. Set the 'HttpOnly' flag by calling
7+
'cookie.setHttpOnly(true);'
8+
note: >-
9+
[CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag.
10+
[REFERENCES]
11+
- https://capec.mitre.org/data/definitions/463.html
12+
rule:
13+
pattern: $COOKIE.setHttpOnly(false);

rules/java/security/missing-secure-java.yml

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
id: missing-secure-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
Detected a cookie where the `Secure` flag is either missing or
6+
disabled. The `Secure` cookie flag instructs the browser to forbid sending
7+
the cookie over an insecure HTTP request. Set the `Secure` flag to `true`
8+
so the cookie will only be sent over HTTPS.
9+
note: >-
10+
[CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
11+
[OWASP A05:2021]: Security Misconfiguration
12+
[REFERENCES]
13+
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
14+
utils:
15+
match_without_httponly:
16+
kind: argument_list
17+
has:
18+
kind: object_creation_expression
19+
inside:
20+
stopBy: end
21+
kind: method_invocation
22+
23+
match_cookie_last:
24+
kind: argument_list
25+
has:
26+
kind: method_invocation
27+
has:
28+
kind: argument_list
29+
has:
30+
kind: string_literal
31+
32+
match_instance:
33+
kind: local_variable_declaration
34+
has:
35+
stopBy: end
36+
kind: identifier
37+
follows:
38+
stopBy: end
39+
kind: variable_declarator
40+
41+
match_identifier_with_simplecookie:
42+
kind: identifier
43+
inside:
44+
stopBy: end
45+
kind: local_variable_declaration
46+
all:
47+
- has:
48+
stopBy: end
49+
kind: type_identifier
50+
regex: '^SimpleCookie$|^Cookie$'
51+
- has:
52+
stopBy: neighbor
53+
kind: variable_declarator
54+
all:
55+
- has:
56+
stopBy: neighbor
57+
kind: identifier
58+
- has:
59+
stopBy: neighbor
60+
kind: object_creation_expression
61+
- not:
62+
precedes:
63+
stopBy: neighbor
64+
kind: expression_statement
65+
rule:
66+
any:
67+
- matches: match_instance
68+
- matches: match_without_httponly
69+
- matches: match_cookie_last
70+
- matches: match_identifier_with_simplecookie

tests/__snapshots__/cookie-httponly-false-java-snapshot.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: cookie-httponly-false-java
2+
snapshots:
3+
? |2
4+
5+
@RequestMapping(value = "/cookie4", method = "GET")
6+
public void explicitDisable(@RequestParam String value, HttpServletResponse response) {
7+
Cookie cookie = new Cookie("cookie", value);
8+
cookie.setSecure(false);
9+
cookie.setHttpOnly(false);
10+
response.addCookie(cookie);
11+
}
12+
: labels:
13+
- source: cookie.setHttpOnly(false);
14+
style: primary
15+
start: 223
16+
end: 249

tests/__snapshots__/missing-secure-java-snapshot.yml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
id: missing-secure-java
2+
snapshots:
3+
? |
4+
SimpleCookie s = new SimpleCookie("foo", "bar");
5+
.orElse( new NettyCookie( "foo", "bar" ) );
6+
Cookie z = new NettyCookie("foo", "bar");
7+
return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd"));
8+
: labels:
9+
- source: s
10+
style: primary
11+
start: 13
12+
end: 14
13+
- source: SimpleCookie
14+
style: secondary
15+
start: 0
16+
end: 12
17+
- source: s
18+
style: secondary
19+
start: 13
20+
end: 14
21+
- source: new SimpleCookie("foo", "bar")
22+
style: secondary
23+
start: 17
24+
end: 47
25+
- source: s = new SimpleCookie("foo", "bar")
26+
style: secondary
27+
start: 13
28+
end: 47
29+
- source: SimpleCookie s = new SimpleCookie("foo", "bar");
30+
style: secondary
31+
start: 0
32+
end: 48

tests/java/cookie-httponly-false-java-test.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
id: cookie-httponly-false-java
2+
valid:
3+
- |
4+
@RequestMapping(value = "/cookie3", method = "GET")
5+
public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) {
6+
Cookie cookie = new Cookie("cookie", value);
7+
cookie.setSecure(true);
8+
cookie.setHttpOnly(true);
9+
response.addCookie(cookie);
10+
}
11+
invalid:
12+
- |
13+
14+
@RequestMapping(value = "/cookie4", method = "GET")
15+
public void explicitDisable(@RequestParam String value, HttpServletResponse response) {
16+
Cookie cookie = new Cookie("cookie", value);
17+
cookie.setSecure(false);
18+
cookie.setHttpOnly(false);
19+
response.addCookie(cookie);
20+
}

tests/java/missing-secure-java-test.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
id: missing-secure-java
2+
valid:
3+
- |
4+
Cookie c1 = getCookieSomewhere();
5+
return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true));
6+
Cookie cookie = request.getCookies().findCookie( "foobar" )
7+
Cookie c = new NettyCookie("foo", "bar");
8+
c.secure(true);
9+
NettyCookie r = new NettyCookie("foo", "bar").secure(true);
10+
invalid:
11+
- |
12+
SimpleCookie s = new SimpleCookie("foo", "bar");
13+
.orElse( new NettyCookie( "foo", "bar" ) );
14+
Cookie z = new NettyCookie("foo", "bar");
15+
return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd"));

0 commit comments

Comments
 (0)