Skip to content

Two java rules 18Oct2024 #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 21, 2024
Merged

Two java rules 18Oct2024 #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
999300c
cookie-missing-httponly-java
ESS-ENN Oct 18, 2024
e8ad210
cookie-httponly-false-java
ESS-ENN Oct 18, 2024
52c5d93
Merge branch 'main' into two-java-rules-18Oct2024
ESS-ENN Oct 18, 2024
9b05910
Merge branch 'main' into two-java-rules-18Oct2024
petrisorcoderabbit Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions rules/java/security/cookie-httponly-false-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
id: cookie-httponly-false-java
language: java
message: >-
A cookie was detected without setting the 'HttpOnly' flag. The
'HttpOnly' flag for cookies instructs the browser to forbid client-side
scripts from reading the cookie. Set the 'HttpOnly' flag by calling
'cookie.setHttpOnly(true);'
note: >-
[CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag.
[REFERENCES]
- https://capec.mitre.org/data/definitions/463.html
rule:
pattern: $COOKIE.setHttpOnly(false);
23 changes: 23 additions & 0 deletions rules/java/security/cookie-missing-httponly-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
id: cookie-missing-httponly-java
severity: warning
language: java
message: >-
A cookie was detected without setting the 'HttpOnly' flag. The
'HttpOnly' flag for cookies instructs the browser to forbid client-side
scripts from reading the cookie. Set the 'HttpOnly' flag by calling
'cookie.setHttpOnly(true);
note: >-
[CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag.
[REFERENCES]
- https://owasp.org/www-community/HttpOnly
rule:
pattern: $RESPONSE.addCookie($COOKIE);
all:
- not:
follows:
stopBy: end
pattern: $COOKIE.setValue("");
- not:
follows:
stopBy: end
pattern: $COOKIE.setHttpOnly($$$);
16 changes: 16 additions & 0 deletions tests/__snapshots__/cookie-httponly-false-java-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
id: cookie-httponly-false-java
snapshots:
? |2

@RequestMapping(value = "/cookie4", method = "GET")
public void explicitDisable(@RequestParam String value, HttpServletResponse response) {
Cookie cookie = new Cookie("cookie", value);
cookie.setSecure(false);
cookie.setHttpOnly(false);
response.addCookie(cookie);
}
: labels:
- source: cookie.setHttpOnly(false);
style: primary
start: 223
end: 249
19 changes: 19 additions & 0 deletions tests/__snapshots__/cookie-missing-httponly-java-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
id: cookie-missing-httponly-java
snapshots:
? |
@RequestMapping(value = "/cookie1", method = "GET")
public void setCookie(@RequestParam String value, HttpServletResponse response) {
Cookie cookie = new Cookie("cookie", value);
response.addCookie(cookie);
}
@RequestMapping(value = "/cookie2", method = "GET")
public void setSecureCookie(@RequestParam String value, HttpServletResponse response) {
Cookie cookie = new Cookie("cookie", value);
cookie.setSecure(true);
response.addCookie(cookie);
}
: labels:
- source: response.addCookie(cookie);
style: primary
start: 187
end: 214
20 changes: 20 additions & 0 deletions tests/java/cookie-httponly-false-java-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
id: cookie-httponly-false-java
valid:
- |
@RequestMapping(value = "/cookie3", method = "GET")
public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) {
Cookie cookie = new Cookie("cookie", value);
cookie.setSecure(true);
cookie.setHttpOnly(true);
response.addCookie(cookie);
}
invalid:
- |

@RequestMapping(value = "/cookie4", method = "GET")
public void explicitDisable(@RequestParam String value, HttpServletResponse response) {
Cookie cookie = new Cookie("cookie", value);
cookie.setSecure(false);
cookie.setHttpOnly(false);
response.addCookie(cookie);
}
19 changes: 19 additions & 0 deletions tests/java/cookie-missing-httponly-java-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
id: cookie-missing-httponly-java
valid:
- |
existingCookie.setValue("");
existingCookie.setMaxAge(0);
response.addCookie(existingCookie);
invalid:
- |
@RequestMapping(value = "/cookie1", method = "GET")
public void setCookie(@RequestParam String value, HttpServletResponse response) {
Cookie cookie = new Cookie("cookie", value);
response.addCookie(cookie);
}
@RequestMapping(value = "/cookie2", method = "GET")
public void setSecureCookie(@RequestParam String value, HttpServletResponse response) {
Cookie cookie = new Cookie("cookie", value);
cookie.setSecure(true);
response.addCookie(cookie);
}