From 58ee7f972748e682717f2e527d92845d53616c18 Mon Sep 17 00:00:00 2001 From: elsapet Date: Wed, 31 Jan 2024 15:55:37 +0200 Subject: [PATCH] feat(java): extend secure cookie rule --- rules/java/lang/cookie_missing_secure.yml | 4 +- .../testdata/main.java | 11 +---- tests/java/lang/cookie_missing_secure/test.js | 19 +++++++-- .../cookie_missing_secure/testdata/main.java | 42 +++++++++++++++++++ 4 files changed, 61 insertions(+), 15 deletions(-) create mode 100644 tests/java/lang/cookie_missing_secure/testdata/main.java diff --git a/rules/java/lang/cookie_missing_secure.yml b/rules/java/lang/cookie_missing_secure.yml index 388f2babd..e5bf9db81 100644 --- a/rules/java/lang/cookie_missing_secure.yml +++ b/rules/java/lang/cookie_missing_secure.yml @@ -8,7 +8,7 @@ patterns: scope: cursor filters: - variable: JAVA_SHARED_LANG_INSTANCE_TYPE - regex: \A(javax\.servlet\.http\.)?Cookie\z + regex: \A((javax|jakarta)\.servlet\.http\.)?Cookie\z - variable: "TRUE" detection: java_lang_cookie_missing_secure_true scope: cursor @@ -21,7 +21,7 @@ auxiliary: - pattern: new $(); filters: - variable: COOKIE_TYPE - regex: \A(javax\.servlet\.http\.)?Cookie\z + regex: \A((javax|jakarta)\.servlet\.http\.)?Cookie\z - id: java_lang_cookie_missing_secure_true patterns: - "true;" diff --git a/tests/java/lang/cookie_missing_http_only/testdata/main.java b/tests/java/lang/cookie_missing_http_only/testdata/main.java index 6d90ee484..9ebfd733e 100644 --- a/tests/java/lang/cookie_missing_http_only/testdata/main.java +++ b/tests/java/lang/cookie_missing_http_only/testdata/main.java @@ -5,14 +5,7 @@ public class Test { public static final String COOKIE_NAME = "someCookie"; - public void badCookie(HttpServletResponse response) { - // bearer:expected java_lang_cookie_missing_http_only - Cookie cookie = new Cookie(COOKIE_NAME, "cookieValue"); - cookie.setPath("/WebGoat"); - response.addCookie(cookie); - } - - public void badCookie2(HttpServletResponse res) { + public void badCookie(HttpServletResponse res) { // bearer:expected java_lang_cookie_missing_http_only javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie(COOKIE_NAME, "cookieValue"); cookie.setSecure(true); @@ -21,7 +14,7 @@ public void badCookie2(HttpServletResponse res) { res.addCookie(cookie); } - public void badCookie3(HttpServletResponse res) { + public void badCookie2(HttpServletResponse res) { // bearer:expected java_lang_cookie_missing_http_only javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie(COOKIE_NAME, "cookieValue"); cookie.setSecure(true); diff --git a/tests/java/lang/cookie_missing_secure/test.js b/tests/java/lang/cookie_missing_secure/test.js index 3c77c7b9d..45b67d516 100644 --- a/tests/java/lang/cookie_missing_secure/test.js +++ b/tests/java/lang/cookie_missing_secure/test.js @@ -1,19 +1,30 @@ -const { createInvoker, getEnvironment } = require("../../../helper.js") +const { createInvoker, createNewInvoker, getEnvironment } = require("../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { const invoke = createInvoker(ruleId, ruleFile, testBase) - + test("bad", () => { const testCase = "bad.java" expect(invoke(testCase)).toMatchSnapshot(); }) - + test("ok", () => { const testCase = "ok.java" expect(invoke(testCase)).toMatchSnapshot(); }) - + + // new invoker + const invokeV2 = createNewInvoker(ruleId, ruleFile, testBase) + + test("missing_http_only", () => { + const testCase = "main.java" + + const results = invokeV2(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) }) \ No newline at end of file diff --git a/tests/java/lang/cookie_missing_secure/testdata/main.java b/tests/java/lang/cookie_missing_secure/testdata/main.java new file mode 100644 index 000000000..798f73333 --- /dev/null +++ b/tests/java/lang/cookie_missing_secure/testdata/main.java @@ -0,0 +1,42 @@ +// Use bearer:expected java_lang_cookie_missing_secure to flag expected findings + +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.Cookie; + +public class Test +{ + public static final String COOKIE_NAME = "someCookie"; + + public void badCookie(HttpServletResponse res) { + // bearer:expected java_lang_cookie_missing_http_only + javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie(COOKIE_NAME, "cookieValue"); + cookie.setSecure(false); + cookie.setMaxAge(60); + cookie.setHttpOnly(true); + res.addCookie(cookie); + } + + public void badCookie2(HttpServletResponse res) { + // bearer:expected java_lang_cookie_missing_http_only + javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie(COOKIE_NAME, "cookieValue"); + cookie.setHttpOnly(true); + cookie.setMaxAge(60); + res.addCookie(cookie); + } + + public void badJakartaCookie(HttpServletResponse response) { + // bearer:expected java_lang_cookie_missing_http_only + jakarta.servlet.http.Cookie jakartaCookie = new jakarta.servlet.http.Cookie(COOKIE_NAME, "someCookieValue"); + jakartaCookie.setMaxAge(60); + response.addCookie(jakartaCookie); + } + + public void badJakartaCookie2(HttpServletResponse response) { + // bearer:expected java_lang_cookie_missing_http_only + jakarta.servlet.http.Cookie jakartaCookie = new jakarta.servlet.http.Cookie(COOKIE_NAME, "someCookieValue"); + jakartaCookie.setSecure(false); + jakartaCookie.setMaxAge(60); + response.addCookie(jakartaCookie); + } +} +