cookie-httponly-false-java

Author: Sakshis

rules/java/security/cookie-httponly-false-java.yml

@@ -0,0 +1,13 @@
+id: cookie-httponly-false-java
+language: java
+message: >-
+  A cookie was detected without setting the 'HttpOnly' flag. The
+  'HttpOnly' flag for cookies instructs the browser to forbid client-side
+  scripts from reading the cookie. Set the 'HttpOnly' flag by calling
+  'cookie.setHttpOnly(true);'
+note: >-
+  [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag.
+  [REFERENCES]
+  - https://capec.mitre.org/data/definitions/463.html
+rule:
+  pattern: $COOKIE.setHttpOnly(false);

tests/__snapshots__/cookie-httponly-false-java-snapshot.yml

@@ -0,0 +1,16 @@
+id: cookie-httponly-false-java
+snapshots:
+  ? |2
+
+    @RequestMapping(value = "/cookie4", method = "GET")
+    public void explicitDisable(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(false);
+        cookie.setHttpOnly(false);
+        response.addCookie(cookie);
+    }
+  : labels:
+    - source: cookie.setHttpOnly(false);
+      style: primary
+      start: 223
+      end: 249

tests/java/cookie-httponly-false-java-test.yml

@@ -0,0 +1,20 @@
+id: cookie-httponly-false-java
+valid:
+  - |
+    @RequestMapping(value = "/cookie3", method = "GET")
+    public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(true);
+        cookie.setHttpOnly(true);
+        response.addCookie(cookie);
+    }
+invalid:
+  - |
+    
+    @RequestMapping(value = "/cookie4", method = "GET")
+    public void explicitDisable(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(false);
+        cookie.setHttpOnly(false);
+        response.addCookie(cookie);
+    }