diff --git a/rules/java/security/missing-httponly-java.yml b/rules/java/security/missing-httponly-java.yml new file mode 100644 index 00000000..90f65f94 --- /dev/null +++ b/rules/java/security/missing-httponly-java.yml @@ -0,0 +1,617 @@ +id: missing-httponly-java +language: java +severity: warning +message: >- + Detected a cookie where the `HttpOnly` flag is either missing or + disabled. The `HttpOnly` cookie flag instructs the browser to forbid + client-side JavaScript to read the cookie. If JavaScript interaction is + required, you can ignore this finding. However, set the `HttpOnly` flag to + true` in all other cases. +note: >- + [CWE-1004]: Sensitive Cookie Without 'HttpOnly' Flag + [OWASP A05:2021]: Security Misconfiguration + [REFERENCES] + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + +ast-grep-essentials: true + +utils: + commons_not_rule_parts: + all: + - not: + inside: + any: + - kind: method_invocation + - kind: field_access + - not: + has: + stopBy: end + kind: method_invocation + all: + - has: + nthChild: + position: 2 + reverse: true + kind: identifier + field: name + regex: ^(httpOnly)$ + - has: + nthChild: + position: 1 + reverse: true + kind: argument_list + - not: + has: + nthChild: + position: 2 + reverse: true + kind: identifier + field: name + regex: ^(httpOnly)$ + precedes: + kind: argument_list + + cookie.of_pattern_for_c_equals_Cookie.of: + nthChild: 1 + kind: identifier + any: + - regex: ^(io.micronaut.http.cookie.Cookie)$ + - regex: ^(Cookie)$ + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + precedes: + kind: identifier + regex: ^(of)$ + precedes: + kind: argument_list + +rule: + any: + # io.micronaut.http.cookie.Cookie.of(...) + - kind: method_invocation + all: + - has: + nthChild: 1 + kind: identifier + field: object + regex: ^(Cookie)$ + - has: + nthChild: 2 + kind: identifier + field: name + regex: ^(of)$ + - has: + nthChild: 3 + kind: argument_list + - not: + any: + - inside: + stopBy: end + kind: method_invocation + any: + - has: + kind: identifier + field: name + regex: ^(httpOnly)$ + - inside: + any: + - kind: variable_declarator + - kind: assignment_expression + - inside: + stopBy: end + any: + - kind: variable_declarator + - kind: assignment_expression + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + kind: scoped_identifier + nthChild: 1 + regex: ^(io.micronaut.http.cookie.Cookie)$ + + - kind: method_invocation + all: + - has: + nthChild: 1 + kind: field_access + field: object + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + nthChild: 2 + kind: identifier + field: name + regex: ^(of)$ + - has: + nthChild: 3 + kind: argument_list + - not: + any: + - inside: + stopBy: end + any: + - kind: method_invocation + - kind: field_access + regex: ^(io.micronaut.http.cookie.Cookie.of()) + has: + kind: identifier + field: name + regex: ^(httpOnly)$ + + - inside: + stopBy: end + any: + - kind: method_invocation + - kind: field_access + regex: ^(io.micronaut.http.cookie.Cookie.of()) + inside: + any: + - kind: variable_declarator + - kind: assignment_expression + + - inside: + any: + - kind: variable_declarator + - kind: assignment_expression + + # new instance of SimpleCookie, NettyCookie and Cookie + # Cookie + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(Cookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + regex: ^(new) + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(Cookie)$ + - has: + kind: argument_list + nthChild: 2 + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + kind: argument_list + nthChild: 2 + + # SimpleCookie + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(SimpleCookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + regex: ^(new) + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(SimpleCookie)$ + - has: + kind: argument_list + nthChild: 2 + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ + + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ + - has: + kind: argument_list + nthChild: 2 + + # NettyCookie + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(NettyCookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + regex: ^(new) + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(NettyCookie)$ + - has: + kind: argument_list + nthChild: 2 + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ + + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ + - has: + kind: argument_list + nthChild: 2 + + # # Assignement Patterns + - kind: identifier + pattern: $C + nthChild: 1 + inside: + kind: variable_declarator + nthChild: 2 + has: + kind: object_creation_expression + all: + - has: + nthChild: 1 + any: + - kind: type_identifier + - kind: scoped_type_identifier + - has: + nthChild: 2 + kind: argument_list + inside: + kind: local_variable_declaration + has: + nthChild: 1 + any: + - kind: scoped_type_identifier + regex: ^(io.micronaut.http.cookie.Cookie|io.micronaut.http.netty.cookies.NettyCookie|io.micronaut.http.simple.cookies.SimpleCookie)$ + not: + precedes: + stopBy: end + has: + stopBy: end + kind: method_invocation + pattern: $C.httpOnly($$$) + + - kind: identifier + pattern: $C + nthChild: 1 + inside: + kind: variable_declarator + nthChild: 2 + has: + kind: object_creation_expression + all: + - has: + nthChild: 1 + any: + - kind: type_identifier + - kind: scoped_type_identifier + - has: + nthChild: 2 + kind: argument_list + inside: + kind: local_variable_declaration + any: + - all: + - has: + nthChild: 1 + any: + - kind: type_identifier + regex: ^(Cookie)$ + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + - all: + - has: + nthChild: 1 + any: + - kind: type_identifier + regex: ^(SimpleCookie)$ + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ + - all: + - has: + nthChild: 1 + any: + - kind: type_identifier + regex: ^(NettyCookie)$ + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ + not: + precedes: + stopBy: end + has: + stopBy: end + kind: method_invocation + pattern: $C.httpOnly($$$) + + # last pattern + - kind: identifier + pattern: $C + nthChild: 1 + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + has: + nthChild: 2 + any: + - any: + - kind: field_access + - kind: method_invocation + not: + has: + stopBy: end + kind: identifier + regex: ^(httpOnly|getCookies)$ + precedes: + kind: argument_list + has: + stopBy: end + kind: method_invocation + all: + - has: + nthChild: 1 + any: + - kind: field_access + regex: ^(io.micronaut.http.cookie.Cookie)$ + - kind: identifier + regex: ^(Cookie)$ + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + nthChild: 2 + kind: identifier + regex: ^(of)$ + - has: + nthChild: 3 + kind: argument_list + + - kind: method_invocation + all: + - has: + nthChild: 1 + any: + - kind: field_access + regex: ^(io.micronaut.http.cookie.Cookie)$ + - kind: identifier + regex: ^(Cookie)$ + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + nthChild: 2 + kind: identifier + regex: ^(of)$ + - has: + nthChild: 3 + kind: argument_list + + not: + inside: + stopBy: end + precedes: + stopBy: end + has: + stopBy: end + kind: method_invocation + pattern: $C.httpOnly($$$) diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml new file mode 100644 index 00000000..1ad4bd8e --- /dev/null +++ b/rules/java/security/missing-secure-java.yml @@ -0,0 +1,616 @@ +id: missing-secure-java +language: java +severity: warning +message: >- + Detected a cookie where the `Secure` flag is either missing or + disabled. The `Secure` cookie flag instructs the browser to forbid sending + the cookie over an insecure HTTP request. Set the `Secure` flag to `true` + so the cookie will only be sent over HTTPS. +note: >- + [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute + [OWASP A05:2021]: Security Misconfiguration + [REFERENCES] + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + +ast-grep-essentials: true + +utils: + commons_not_rule_parts: + all: + - not: + inside: + any: + - kind: method_invocation + - kind: field_access + - not: + has: + stopBy: end + kind: method_invocation + all: + - has: + nthChild: + position: 2 + reverse: true + kind: identifier + field: name + regex: ^(secure)$ + - has: + nthChild: + position: 1 + reverse: true + kind: argument_list + - not: + has: + nthChild: + position: 2 + reverse: true + kind: identifier + field: name + regex: ^(secure)$ + precedes: + kind: argument_list + + cookie.of_pattern_for_c_equals_Cookie.of: + nthChild: 1 + kind: identifier + any: + - regex: ^(io.micronaut.http.cookie.Cookie)$ + - regex: ^(Cookie)$ + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + precedes: + kind: identifier + regex: ^(of)$ + precedes: + kind: argument_list + +rule: + any: + # io.micronaut.http.cookie.Cookie.of(...) + - kind: method_invocation + all: + - has: + nthChild: 1 + kind: identifier + field: object + regex: ^(Cookie)$ + - has: + nthChild: 2 + kind: identifier + field: name + regex: ^(of)$ + - has: + nthChild: 3 + kind: argument_list + - not: + any: + - inside: + stopBy: end + kind: method_invocation + any: + - has: + kind: identifier + field: name + regex: ^(secure)$ + - inside: + any: + - kind: variable_declarator + - kind: assignment_expression + - inside: + stopBy: end + any: + - kind: variable_declarator + - kind: assignment_expression + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + kind: scoped_identifier + nthChild: 1 + regex: ^(io.micronaut.http.cookie.Cookie)$ + + - kind: method_invocation + all: + - has: + nthChild: 1 + kind: field_access + field: object + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + nthChild: 2 + kind: identifier + field: name + regex: ^(of)$ + - has: + nthChild: 3 + kind: argument_list + - not: + any: + - inside: + stopBy: end + any: + - kind: method_invocation + - kind: field_access + regex: ^(io.micronaut.http.cookie.Cookie.of()) + has: + kind: identifier + field: name + regex: ^(secure)$ + + - inside: + stopBy: end + any: + - kind: method_invocation + - kind: field_access + regex: ^(io.micronaut.http.cookie.Cookie.of()) + inside: + any: + - kind: variable_declarator + - kind: assignment_expression + + - inside: + any: + - kind: variable_declarator + - kind: assignment_expression + + # new instance of SimpleCookie, NettyCookie and Cookie + # Cookie + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(Cookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + regex: ^(new) + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(Cookie)$ + - has: + kind: argument_list + nthChild: 2 + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + kind: argument_list + nthChild: 2 + + # SimpleCookie + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(SimpleCookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + regex: ^(new) + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(SimpleCookie)$ + - has: + kind: argument_list + nthChild: 2 + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ + + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ + - has: + kind: argument_list + nthChild: 2 + + # NettyCookie + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(NettyCookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + regex: ^(new) + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: type_identifier + nthChild: 1 + regex: ^(NettyCookie)$ + - has: + kind: argument_list + nthChild: 2 + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ + + - any: + - kind: object_creation_expression + not: + inside: + any: + - kind: field_access + - kind: method_invocation + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ + - has: + kind: argument_list + nthChild: 2 + - not: + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + + - any: + - kind: method_invocation + - kind: field_access + all: + - matches: commons_not_rule_parts + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + kind: scoped_type_identifier + nthChild: 1 + regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ + - has: + kind: argument_list + nthChild: 2 + + # # Assignement Patterns + - kind: identifier + pattern: $C + nthChild: 1 + inside: + kind: variable_declarator + nthChild: 2 + has: + kind: object_creation_expression + all: + - has: + nthChild: 1 + any: + - kind: type_identifier + - kind: scoped_type_identifier + - has: + nthChild: 2 + kind: argument_list + inside: + kind: local_variable_declaration + has: + nthChild: 1 + any: + - kind: scoped_type_identifier + regex: ^(io.micronaut.http.cookie.Cookie|io.micronaut.http.netty.cookies.NettyCookie|io.micronaut.http.simple.cookies.SimpleCookie)$ + not: + precedes: + stopBy: end + has: + stopBy: end + kind: method_invocation + pattern: $C.secure($$$) + + - kind: identifier + pattern: $C + nthChild: 1 + inside: + kind: variable_declarator + nthChild: 2 + has: + kind: object_creation_expression + all: + - has: + nthChild: 1 + any: + - kind: type_identifier + - kind: scoped_type_identifier + - has: + nthChild: 2 + kind: argument_list + inside: + kind: local_variable_declaration + any: + - all: + - has: + nthChild: 1 + any: + - kind: type_identifier + regex: ^(Cookie)$ + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + - all: + - has: + nthChild: 1 + any: + - kind: type_identifier + regex: ^(SimpleCookie)$ + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ + - all: + - has: + nthChild: 1 + any: + - kind: type_identifier + regex: ^(NettyCookie)$ + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ + not: + precedes: + stopBy: end + has: + stopBy: end + kind: method_invocation + pattern: $C.secure($$$) + + # last pattern + - kind: identifier + pattern: $C + nthChild: 1 + inside: + any: + - kind: assignment_expression + - kind: variable_declarator + has: + nthChild: 2 + any: + - any: + - kind: field_access + - kind: method_invocation + not: + has: + stopBy: end + kind: identifier + regex: ^(secure|getCookies)$ + precedes: + kind: argument_list + has: + stopBy: end + kind: method_invocation + all: + - has: + nthChild: 1 + any: + - kind: field_access + regex: ^(io.micronaut.http.cookie.Cookie)$ + - kind: identifier + regex: ^(Cookie)$ + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + nthChild: 2 + kind: identifier + regex: ^(of)$ + - has: + nthChild: 3 + kind: argument_list + + - kind: method_invocation + all: + - has: + nthChild: 1 + any: + - kind: field_access + regex: ^(io.micronaut.http.cookie.Cookie)$ + - kind: identifier + regex: ^(Cookie)$ + inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + nthChild: 1 + kind: scoped_identifier + regex: ^(io.micronaut.http.cookie.Cookie)$ + - has: + nthChild: 2 + kind: identifier + regex: ^(of)$ + - has: + nthChild: 3 + kind: argument_list + + not: + inside: + stopBy: end + precedes: + stopBy: end + has: + stopBy: end + kind: method_invocation + pattern: $C.secure($$$) diff --git a/tests/__snapshots__/missing-httponly-java-snapshot.yml b/tests/__snapshots__/missing-httponly-java-snapshot.yml new file mode 100644 index 00000000..0afce8c4 --- /dev/null +++ b/tests/__snapshots__/missing-httponly-java-snapshot.yml @@ -0,0 +1,208 @@ +id: missing-httponly-java +snapshots: + ? | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + Cookie cookie = request.getCookies() + .findCookie( "foobar" ) + .orElse( new NettyCookie( "foo", "bar" ) ); + } + } + : labels: + - source: new NettyCookie( "foo", "bar" ) + style: primary + start: 464 + end: 495 + - source: NettyCookie + style: secondary + start: 468 + end: 479 + - source: ( "foo", "bar" ) + style: secondary + start: 479 + end: 495 + - source: io.micronaut.http.netty.cookies.NettyCookie + style: secondary + start: 97 + end: 140 + - source: import io.micronaut.http.netty.cookies.NettyCookie; + style: secondary + start: 90 + end: 141 + - source: import io.micronaut.http.netty.cookies.NettyCookie; + style: secondary + start: 90 + end: 141 + ? | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + Cookie z = new NettyCookie("foo", "bar"); + } + } + : labels: + - source: z + style: primary + start: 377 + end: 378 + - source: Cookie + style: secondary + start: 370 + end: 376 + - source: io.micronaut.http.cookie.Cookie + style: secondary + start: 57 + end: 88 + - source: import io.micronaut.http.cookie.Cookie; + style: secondary + start: 50 + end: 89 + - source: import io.micronaut.http.cookie.Cookie; + style: secondary + start: 50 + end: 89 + - source: Cookie z = new NettyCookie("foo", "bar"); + style: secondary + start: 370 + end: 411 + - source: NettyCookie + style: secondary + start: 385 + end: 396 + - source: ("foo", "bar") + style: secondary + start: 396 + end: 410 + - source: new NettyCookie("foo", "bar") + style: secondary + start: 381 + end: 410 + - source: z = new NettyCookie("foo", "bar") + style: secondary + start: 377 + end: 410 + ? | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + SimpleCookie s = new SimpleCookie("foo", "bar"); + } + } + : labels: + - source: s + style: primary + start: 383 + end: 384 + - source: SimpleCookie + style: secondary + start: 370 + end: 382 + - source: io.micronaut.http.simple.cookies.SimpleCookie + style: secondary + start: 149 + end: 194 + - source: import io.micronaut.http.simple.cookies.SimpleCookie; + style: secondary + start: 142 + end: 195 + - source: import io.micronaut.http.simple.cookies.SimpleCookie; + style: secondary + start: 142 + end: 195 + - source: SimpleCookie s = new SimpleCookie("foo", "bar"); + style: secondary + start: 370 + end: 418 + - source: SimpleCookie + style: secondary + start: 391 + end: 403 + - source: ("foo", "bar") + style: secondary + start: 403 + end: 417 + - source: new SimpleCookie("foo", "bar") + style: secondary + start: 387 + end: 417 + - source: s = new SimpleCookie("foo", "bar") + style: secondary + start: 383 + end: 417 + ? | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); + } + } + : labels: + - source: Cookie.of("zzz", "ddd") + style: primary + start: 402 + end: 425 + - source: Cookie + style: secondary + start: 402 + end: 408 + - source: of + style: secondary + start: 409 + end: 411 + - source: ("zzz", "ddd") + style: secondary + start: 411 + end: 425 + - source: io.micronaut.http.cookie.Cookie + style: secondary + start: 57 + end: 88 + - source: import io.micronaut.http.cookie.Cookie; + style: secondary + start: 50 + end: 89 + - source: import io.micronaut.http.cookie.Cookie; + style: secondary + start: 50 + end: 89 diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml new file mode 100644 index 00000000..8e93db52 --- /dev/null +++ b/tests/__snapshots__/missing-secure-java-snapshot.yml @@ -0,0 +1,208 @@ +id: missing-secure-java +snapshots: + ? | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + Cookie cookie = request.getCookies() + .findCookie( "foobar" ) + .orElse( new NettyCookie( "foo", "bar" ) ); + } + } + : labels: + - source: new NettyCookie( "foo", "bar" ) + style: primary + start: 464 + end: 495 + - source: NettyCookie + style: secondary + start: 468 + end: 479 + - source: ( "foo", "bar" ) + style: secondary + start: 479 + end: 495 + - source: io.micronaut.http.netty.cookies.NettyCookie + style: secondary + start: 97 + end: 140 + - source: import io.micronaut.http.netty.cookies.NettyCookie; + style: secondary + start: 90 + end: 141 + - source: import io.micronaut.http.netty.cookies.NettyCookie; + style: secondary + start: 90 + end: 141 + ? | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + Cookie z = new NettyCookie("foo", "bar"); + } + } + : labels: + - source: z + style: primary + start: 377 + end: 378 + - source: Cookie + style: secondary + start: 370 + end: 376 + - source: io.micronaut.http.cookie.Cookie + style: secondary + start: 57 + end: 88 + - source: import io.micronaut.http.cookie.Cookie; + style: secondary + start: 50 + end: 89 + - source: import io.micronaut.http.cookie.Cookie; + style: secondary + start: 50 + end: 89 + - source: Cookie z = new NettyCookie("foo", "bar"); + style: secondary + start: 370 + end: 411 + - source: NettyCookie + style: secondary + start: 385 + end: 396 + - source: ("foo", "bar") + style: secondary + start: 396 + end: 410 + - source: new NettyCookie("foo", "bar") + style: secondary + start: 381 + end: 410 + - source: z = new NettyCookie("foo", "bar") + style: secondary + start: 377 + end: 410 + ? | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + SimpleCookie s = new SimpleCookie("foo", "bar"); + } + } + : labels: + - source: s + style: primary + start: 383 + end: 384 + - source: SimpleCookie + style: secondary + start: 370 + end: 382 + - source: io.micronaut.http.simple.cookies.SimpleCookie + style: secondary + start: 149 + end: 194 + - source: import io.micronaut.http.simple.cookies.SimpleCookie; + style: secondary + start: 142 + end: 195 + - source: import io.micronaut.http.simple.cookies.SimpleCookie; + style: secondary + start: 142 + end: 195 + - source: SimpleCookie s = new SimpleCookie("foo", "bar"); + style: secondary + start: 370 + end: 418 + - source: SimpleCookie + style: secondary + start: 391 + end: 403 + - source: ("foo", "bar") + style: secondary + start: 403 + end: 417 + - source: new SimpleCookie("foo", "bar") + style: secondary + start: 387 + end: 417 + - source: s = new SimpleCookie("foo", "bar") + style: secondary + start: 383 + end: 417 + ? | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); + } + } + : labels: + - source: Cookie.of("zzz", "ddd") + style: primary + start: 402 + end: 425 + - source: Cookie + style: secondary + start: 402 + end: 408 + - source: of + style: secondary + start: 409 + end: 411 + - source: ("zzz", "ddd") + style: secondary + start: 411 + end: 425 + - source: io.micronaut.http.cookie.Cookie + style: secondary + start: 57 + end: 88 + - source: import io.micronaut.http.cookie.Cookie; + style: secondary + start: 50 + end: 89 + - source: import io.micronaut.http.cookie.Cookie; + style: secondary + start: 50 + end: 89 diff --git a/tests/java/missing-httponly-java-test.yml b/tests/java/missing-httponly-java-test.yml new file mode 100644 index 00000000..c8839bd2 --- /dev/null +++ b/tests/java/missing-httponly-java-test.yml @@ -0,0 +1,90 @@ +id: missing-httponly-java +valid: + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + SimpleCookie s = new SimpleCookie("foo", "bar").httpOnly(); + } + } +invalid: + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + SimpleCookie s = new SimpleCookie("foo", "bar"); + } + } + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + Cookie cookie = request.getCookies() + .findCookie( "foobar" ) + .orElse( new NettyCookie( "foo", "bar" ) ); + } + } + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + Cookie z = new NettyCookie("foo", "bar"); + } + } + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); + } + } diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml new file mode 100644 index 00000000..2aa44fee --- /dev/null +++ b/tests/java/missing-secure-java-test.yml @@ -0,0 +1,90 @@ +id: missing-secure-java +valid: + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + SimpleCookie s = new SimpleCookie("foo", "bar").secure(); + } + } +invalid: + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + SimpleCookie s = new SimpleCookie("foo", "bar"); + } + } + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + Cookie cookie = request.getCookies() + .findCookie( "foobar" ) + .orElse( new NettyCookie( "foo", "bar" ) ); + } + } + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + Cookie z = new NettyCookie("foo", "bar"); + } + } + - | + package com.example; + + import io.micronaut.http.*; + import io.micronaut.http.cookie.Cookie; + import io.micronaut.http.netty.cookies.NettyCookie; + import io.micronaut.http.simple.cookies.SimpleCookie; + import java.io.*; + + @Controller("/hello") + public class HelloController { + + @Post("/test1") + public MutableHttpMessage postTest1() throws FileNotFoundException { + return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); + } + }