-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(php): split insecure cookie rule
- Loading branch information
Showing
7 changed files
with
262 additions
and
377 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| patterns: | ||
| - pattern: $<SET_COOKIE>; | ||
| filters: | ||
| - variable: SET_COOKIE | ||
| detection: php_lang_cookie_missing_http_only_setcookie | ||
| scope: cursor | ||
| - not: | ||
| variable: SET_COOKIE | ||
| detection: php_lang_cookie_missing_http_only_using_options | ||
| scope: cursor | ||
| - not: | ||
| variable: SET_COOKIE | ||
| detection: php_lang_cookie_missing_http_only_httponly | ||
| scope: cursor | ||
| - pattern: $<FUNCTION>($<_>, $<_>, $<OPTIONS>) | ||
| filters: | ||
| - variable: FUNCTION | ||
| values: | ||
| - setcookie | ||
| - setrawcookie | ||
| - variable: OPTIONS | ||
| detection: php_lang_cookie_missing_http_only_array | ||
| scope: cursor | ||
| - not: | ||
| variable: OPTIONS | ||
| detection: php_lang_cookie_missing_http_only_httponly_option | ||
| scope: cursor | ||
| auxiliary: | ||
| - id: php_lang_cookie_missing_http_only_setcookie | ||
| patterns: | ||
| - pattern: $<FUNCTION>() | ||
| filters: | ||
| - variable: FUNCTION | ||
| values: | ||
| - setcookie | ||
| - setrawcookie | ||
| - id: php_lang_cookie_missing_http_only_httponly | ||
| patterns: | ||
| - pattern: $<_>($<_>, $<_>, $<_>, $<_>, $<_>, $<_>, $<HTTP_ONLY>$<...>) | ||
| filters: | ||
| - variable: HTTP_ONLY | ||
| detection: php_lang_cookie_missing_http_only_true | ||
| scope: cursor | ||
| - pattern: | | ||
| $<_>(httponly: $<TRUE>) | ||
| filters: | ||
| - variable: "TRUE" | ||
| detection: php_lang_cookie_missing_http_only_true | ||
| scope: cursor | ||
| - id: php_lang_cookie_missing_http_only_using_options | ||
| patterns: | ||
| - pattern: $<_>($<_>, $<_>, $<OPTIONS>) | ||
| filters: | ||
| - variable: OPTIONS | ||
| detection: php_lang_cookie_missing_http_only_array | ||
| scope: cursor | ||
| - id: php_lang_cookie_missing_http_only_true | ||
| patterns: | ||
| - pattern: "true;" | ||
| - id: php_lang_cookie_missing_http_only_array | ||
| patterns: | ||
| - pattern: array(); | ||
| - id: php_lang_cookie_missing_http_only_httponly_option | ||
| patterns: | ||
| - pattern: array('httponly' => $<SECURE>) | ||
| filters: | ||
| - variable: SECURE | ||
| detection: php_lang_cookie_missing_http_only_true | ||
| scope: cursor | ||
| languages: | ||
| - php | ||
| metadata: | ||
| description: "Missing 'HTTPOnly' options in cookie configuration." | ||
| remediation_message: | | ||
| ## Description | ||
| The "HttpOnly" attribute when set to "true" protects the cookie value from | ||
| being accessed by client side JavaScript such as reading the "document.cookie" | ||
| values. By enabling this protection, a website that is vulnerable to Cross-Site | ||
| Scripting (XSS) will be able to block malicious scripts from accessing the | ||
| cookie value from JavaScript. | ||
| ## Remediations | ||
| ✅ Set `httponly` to `true` to avoid the cookie being sent by client-side scripts. | ||
| cwe_id: | ||
| - 1004 | ||
| id: php_lang_cookie_missing_http_only | ||
| documentation_url: https://docs.bearer.com/reference/rules/php_lang_cookie_missing_http_only | ||
| cloud_code_suggestions: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| const { | ||
| createNewInvoker, | ||
| getEnvironment, | ||
| } = require("../../../helper.js") | ||
| const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) | ||
|
|
||
| describe(ruleId, () => { | ||
| const invoke = createNewInvoker(ruleId, ruleFile, testBase) | ||
|
|
||
| test("cookie_missing_http_only", () => { | ||
| const testCase = "index.php" | ||
|
|
||
| const results = invoke(testCase) | ||
|
|
||
| expect(results.Missing).toEqual([]) | ||
| expect(results.Extra).toEqual([]) | ||
| }) | ||
| }) |
42 changes: 42 additions & 0 deletions
42
tests/php/lang/cookie_missing_http_only/testdata/index.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| <?php | ||
|
|
||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setcookie("name", "value"); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setcookie("name", "value", 0, "", "", false, false, []); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setcookie("name", "value", 0, "", "", true, false, []); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setcookie("name", "value", secure: true); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setcookie("name", "value", secure: false, httponly: false); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setcookie("name", "value", ["httponly" => false, "secure" => false]); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setcookie("name", "value", ["httponly" => false, "secure" => true]); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setcookie("name", "value", []); | ||
|
|
||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setrawcookie("name", "value"); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setrawcookie("name", "value", 0, "", "", false, false, []); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setrawcookie("name", "value", 0, "", "", true, false, []); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setrawcookie("name", "value", secure: true); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setrawcookie("name", "value", secure: false, httponly: false); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setrawcookie("name", "value", ["httponly" => false, "secure" => false]); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setrawcookie("name", "value", ["httponly" => false, "secure" => true]); | ||
| // bearer:expected php_lang_cookie_missing_http_only | ||
| setrawcookie("name", "value", []); | ||
|
|
||
| // ok | ||
| setcookie("name", "value", 0, "", "", false, true, []); | ||
| setcookie("name", "value", httponly: true); | ||
| setrawcookie("name", "value", 0, "", "", false, true, []); | ||
| setrawcookie("name", "value", ["httponly" => true, "secure" => false]); | ||
| setrawcookie("name", "value", httponly: true); |
Oops, something went wrong.