diff --git a/package.json b/package.json index 7568aa33..535e2eca 100644 --- a/package.json +++ b/package.json @@ -14,4 +14,4 @@ "devDependencies": { "@ast-grep/cli": "^0.28.1" } -} +} \ No newline at end of file diff --git a/rules/java/security/missing-httponly-java.yml b/rules/java/security/missing-httponly-java.yml deleted file mode 100644 index b7d2ff64..00000000 --- a/rules/java/security/missing-httponly-java.yml +++ /dev/null @@ -1,83 +0,0 @@ -id: missing-httponly-java -language: java -severity: warning -message: >- - Detected a cookie where the `HttpOnly` flag is either missing or - disabled. The `HttpOnly` cookie flag instructs the browser to forbid - client-side JavaScript to read the cookie. If JavaScript interaction is - required, you can ignore this finding. However, set the `HttpOnly` flag to - true` in all other cases. -note: >- - [CWE-1004]: Sensitive Cookie Without 'HttpOnly' Flag - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -utils: - match_without_httponly: - kind: argument_list - has: - kind: object_creation_expression - inside: - stopBy: end - kind: method_invocation - - match_cc2_cookie: - kind: local_variable_declaration - precedes: - kind: expression_statement - has: - kind: method_invocation - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - match_nettycookie: - kind: local_variable_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - kind: object_creation_expression - all: - - has: - stopBy: end - kind: argument_list - has: - stopBy: end - kind: string_literal - precedes: - stopBy: end - kind: string_literal - - not: - precedes: - stopBy: end - kind: identifier - regex: "http" - - not: - precedes: - stopBy: neighbor - kind: expression_statement - has: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: argument_list - match_cookie_last: - kind: argument_list - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - -rule: - any: - - matches: match_cc2_cookie - - matches: match_without_httponly - - matches: match_nettycookie - - matches: match_cookie_last diff --git a/tests/__snapshots__/missing-httponly-java-snapshot.yml b/tests/__snapshots__/missing-httponly-java-snapshot.yml deleted file mode 100644 index 95f6dfab..00000000 --- a/tests/__snapshots__/missing-httponly-java-snapshot.yml +++ /dev/null @@ -1,33 +0,0 @@ -id: missing-httponly-java -snapshots: - ? | - SimpleCookie s = new SimpleCookie("foo", "bar"); - ( new NettyCookie( "foo", "bar" ) ) - Cookie cc2 = Cookie.of("zzz", "ddd"); - Cookie z = new NettyCookie("foo", "bar"); - (Cookie.of("zzz", "ddd")) - : labels: - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: primary - start: 0 - end: 48 - - source: '"foo"' - style: secondary - start: 34 - end: 39 - - source: '"foo"' - style: secondary - start: 34 - end: 39 - - source: ("foo", "bar") - style: secondary - start: 33 - end: 47 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 17 - end: 47 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 13 - end: 47 diff --git a/tests/java/missing-httponly-java-test.yml b/tests/java/missing-httponly-java-test.yml deleted file mode 100644 index bc138b5f..00000000 --- a/tests/java/missing-httponly-java-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: missing-httponly-java -valid: - - | - Cookie c1 = getCookieSomewhere(); - return HttpResponse.ok().cookie(Cookie.of("foo", "bar").httpOnly(true)); - Cookie cookie = request.getCookies().findCookie( "foobar" ) - Cookie ccc = Cookie.of("zzz", "ddd"); - ccc.httpOnly(true).secure(true); - Cookie c = new NettyCookie("foo", "bar"); - c.httpOnly(true); - NettyCookie r = new NettyCookie("foo", "bar").httpOnly(true); -invalid: - - | - SimpleCookie s = new SimpleCookie("foo", "bar"); - ( new NettyCookie( "foo", "bar" ) ) - Cookie cc2 = Cookie.of("zzz", "ddd"); - Cookie z = new NettyCookie("foo", "bar"); - (Cookie.of("zzz", "ddd"))