Add security rules for cookie handling in Java applications

[ESS-ENN]

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced rules for Java applications to enforce security measures on cookies, ensuring they have the 'HttpOnly' and 'Secure' flags set.
  • Added test cases to validate cookie behavior, distinguishing between secure and insecure configurations.

• Bug Fixes

  • Enhanced detection of insecure cookie settings to improve application security.

• Documentation

  • Updated references to relevant security standards and best practices for cookie handling.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ ESS-ENN
❌ Sakshis

---

Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

This pull request introduces two new security rules for Java applications regarding cookie handling: one for detecting cookies set without the 'HttpOnly' flag and another for those lacking the 'Secure' flag. Corresponding test cases and snapshots are also created to validate these rules. The changes include specific patterns to identify insecure cookie configurations, along with associated CWE identifiers for reference. The new rules aim to enhance security by ensuring cookies are properly configured to mitigate vulnerabilities.

Changes

File Path	Change Summary
rules/java/security/cookie-httponly-false-java.yml	New rule added: id: cookie-httponly-false-java to detect cookies without the 'HttpOnly' flag.
rules/java/security/missing-secure-java.yml	New rule added: id: missing-secure-java to detect cookies without the 'Secure' flag.
tests/__snapshots__/cookie-httponly-false-java-snapshot.yml	Method added: public void explicitDisable(...) to demonstrate incorrect cookie settings.
tests/__snapshots__/missing-secure-java-snapshot.yml	Snapshot added: missing-secure-java for testing secure cookie handling.
tests/java/cookie-httponly-false-java-test.yml	New test case added: id: cookie-httponly-false-java with valid and invalid cookie methods.
tests/java/missing-secure-java-test.yml	New test configuration added: id: missing-secure-java with valid and invalid cookie examples.

Possibly related PRs

• Two Java rules #14: Introduces a rule that detects cookies lacking the 'HttpOnly' flag, directly related to the main PR's focus.
• Two java rules 18Oct2024 #37: Also introduces a rule for identifying cookies set without the 'HttpOnly' flag, reinforcing the same security concern.
• Add security rules for Java and Swift applications for cookie and secret management #43: Includes a rule for cookies lacking the 'SameSite' attribute, relevant to cookie security practices.

Suggested reviewers

• petrisorcoderabbit

🐰 In the land of code, where cookies roam,
A flag for 'HttpOnly' makes them feel at home.
With 'Secure' in place, they safely glide,
Protecting our data, with nothing to hide.
So let’s hop along, and test with delight,
For secure cookies make our apps shine bright! ✨

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Outside diff range and nitpick comments (6)

rules/java/security/cookie-httponly-false-java.yml (1)

8-11: Enhance security references

Consider adding more comprehensive security references:

• OWASP Session Management Cheat Sheet
• NIST Guidelines for Secure Cookie Usage

tests/java/missing-secure-java-test.yml (2)

2-9: Enhance valid test cases coverage

The valid test cases are good but could be more comprehensive. Consider adding:

1. Cookie builder pattern examples
2. Framework-specific cookie handlers (Spring, Jakarta)
3. Cases with both Secure and HttpOnly flags

valid:
  - |
    Cookie c1 = getCookieSomewhere();
    return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true));
    Cookie cookie = request.getCookies().findCookie( "foobar" )
    Cookie c = new NettyCookie("foo", "bar");
    c.secure(true);
    NettyCookie r = new NettyCookie("foo", "bar").secure(true);
+    // Add builder pattern example
+    Cookie.builder()
+          .name("foo")
+          .value("bar")
+          .secure(true)
+          .httpOnly(true)
+          .build();
+    // Add Spring example
+    ResponseCookie.from("foo", "bar")
+                 .secure(true)
+                 .httpOnly(true)
+                 .build();

---

10-15: Add more invalid test patterns

The invalid test cases should include more real-world scenarios:

1. Deprecated cookie APIs
2. Common framework misconfigurations
3. Chain method calls with missing security flags

tests/java/cookie-httponly-false-java-test.yml (2)

5-10: Consider parameterizing the cookie name

The test case correctly demonstrates secure cookie configuration with both HttpOnly and Secure flags. However, consider parameterizing the cookie name to increase test coverage with different cookie names.

-    public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) {
-        Cookie cookie = new Cookie("cookie", value);
+    public void setSecureHttponlyCookie(@RequestParam String name, @RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie(name, value);
         cookie.setSecure(true);
         cookie.setHttpOnly(true);
         response.addCookie(cookie);
     }

---

15-20: Add documentation for security test case

Since this is a security test case demonstrating insecure configuration, consider adding a comment to explicitly document that this is an example of what not to do.

+    /**
+     * Example of insecure cookie configuration.
+     * WARNING: This method demonstrates what NOT to do - it deliberately sets insecure cookie flags
+     * for testing purposes only.
+     */
     public void explicitDisable(@RequestParam String value, HttpServletResponse response) {

rules/java/security/missing-secure-java.yml (1)

65-70: Consider prioritizing matchers for better performance

The current rule uses a simple OR combination of matchers. Consider ordering them by specificity and likelihood of matching to potentially improve performance.

 rule:
   any:
-    - matches: match_instance
-    - matches: match_without_httponly
-    - matches: match_cookie_last
-    - matches: match_identifier_with_simplecookie
+    # Start with most specific matchers
+    - matches: match_without_httponly
+    - matches: match_identifier_with_simplecookie
+    # Fall back to more general matchers
+    - matches: match_cookie_last
+    - matches: match_instance

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 2f95a8e and 34bb5ac.

📒 Files selected for processing (6)

• rules/java/security/cookie-httponly-false-java.yml (1 hunks)
• rules/java/security/missing-secure-java.yml (1 hunks)
• tests/__snapshots__/cookie-httponly-false-java-snapshot.yml (1 hunks)
• tests/__snapshots__/missing-secure-java-snapshot.yml (1 hunks)
• tests/java/cookie-httponly-false-java-test.yml (1 hunks)
• tests/java/missing-secure-java-test.yml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• tests/snapshots/missing-secure-java-snapshot.yml

🧰 Additional context used

🪛 yamllint (1.35.1)

tests/java/cookie-httponly-false-java-test.yml

[error] 13-13: trailing spaces

(trailing-spaces)

rules/java/security/missing-secure-java.yml

[error] 21-21: trailing spaces

(trailing-spaces)

---

[error] 22-22: trailing spaces

(trailing-spaces)

---

[warning] 42-42: wrong indentation: expected 4 but found 8

(indentation)

---

[warning] 44-44: wrong indentation: expected 10 but found 12

(indentation)

---

[warning] 47-47: wrong indentation: expected 14 but found 16

(indentation)

---

[warning] 48-48: wrong indentation: expected 20 but found 22

(indentation)

---

[warning] 52-52: wrong indentation: expected 20 but found 22

(indentation)

---

[warning] 55-55: wrong indentation: expected 24 but found 26

(indentation)

---

[warning] 56-56: wrong indentation: expected 30 but found 32

(indentation)

---

[warning] 59-59: wrong indentation: expected 30 but found 32

(indentation)

---

[warning] 62-62: wrong indentation: expected 20 but found 22

(indentation)

---

[warning] 63-63: wrong indentation: expected 24 but found 26

(indentation)

🔇 Additional comments (2)

tests/java/missing-secure-java-test.yml (1)

1-15: Verify coverage of cookie creation patterns

Let's verify if there are other common cookie creation patterns in the codebase that should be included in the test cases.

✅ Verification successful

Let me try a different search strategy to verify cookie patterns.

---

Based on the test file content and the absence of other Java files in the repository, I can now generate the final response:

Test cases adequately cover common cookie creation patterns

The test file already covers the main cookie creation patterns:

• Direct cookie creation via Cookie.of()
• NettyCookie instantiation
• SimpleCookie creation
• Cookie retrieval and modification
• Secure and insecure cookie configurations

The test cases appropriately validate both the secure patterns (with .secure(true)) and catch insecure patterns where the secure flag is missing.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for cookie creation patterns in the codebase
echo "Searching for cookie creation patterns..."
rg -t java "new Cookie|new NettyCookie|new SimpleCookie|Cookie\.builder|ResponseCookie" -A 3

echo "Searching for cookie-related methods..."
ast-grep --pattern 'class $_ {
  $$$
  $RET_TYPE $METHOD_NAME($PARAMS) {
    $$$
    cookie.$METHOD($ARG)
    $$$
  }
}'

Length of output: 548

---

Script:

#!/bin/bash
# Search for all Java files first
echo "Searching for Java files..."
fd -e java

# Then search for cookie-related patterns in the test file and any other Java files
echo -e "\nSearching for cookie patterns in the test file..."
cat tests/java/missing-secure-java-test.yml

echo -e "\nSearching for cookie patterns in Java files..."
rg -l "Cookie" --type java

# Look for specific cookie creation and configuration patterns
echo -e "\nSearching for specific cookie patterns..."
rg "Cookie\.|\.cookie\(|\.secure\(" --type java

Length of output: 1389

rules/java/security/missing-secure-java.yml (1)

1-13: LGTM! Well-documented security rule

The rule metadata is well-defined with:

• Clear and actionable message
• Appropriate severity level
• Relevant security references (CWE-614 and OWASP A05:2021)