java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite

Community Favorite
profile photo of returntocorpreturntocorp
Author
69,847
Download Count*
LGPL Commons Clause
License

Detected cookie without the SameSite attribute.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: cookie-missing-samesite
    metadata:
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      owasp:
        - A01:2021 - Broken Access Control
      asvs:
        section: "V3: Session Management Verification Requirements"
        control_id: 3.4.3 Missing Cookie Attribute
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management
        version: "4"
      references:
        - https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application
      category: security
      technology:
        - java
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Detected cookie without the SameSite attribute.
    severity: WARNING
    languages:
      - java
    patterns:
      - pattern-not-inside: |
          $RETURNTYPE $METHOD(..., HttpServletResponse $RESP, ...) {
            ...
            $RESP.setHeader("Set-Cookie", "=~/.*SameSite=.*/");
            ...
          }
      - pattern-either:
          - pattern: $RESP.addCookie(...);
          - pattern: $RESP.setHeader("Set-Cookie", ...);
      - pattern-not: $RESP.setHeader("Set-Cookie", null);

Examples

cookie-missing-samesite.java

@Controller
public class CookieController {

    @RequestMapping(value = "/cookie1", method = "GET")
    public void setCookie(@RequestParam String value, HttpServletResponse response) {
        // ok:cookie-missing-samesite
        response.setHeader("Set-Cookie", "key=value; HttpOnly; SameSite=strict");
    }

    @RequestMapping(value = "/cookie2", method = "GET")
    public void setSecureCookie(@RequestParam String value, HttpServletResponse response) {
        // ruleid:cookie-missing-samesite
        response.setHeader("Set-Cookie", "key=value; HttpOnly;");
    }

    @RequestMapping(value = "/cookie3", method = "GET")
    public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) {
        Cookie cookie = new Cookie("cookie", value);
        cookie.setSecure(true);
        cookie.setHttpOnly(true);
        // ruleid:cookie-missing-samesite
        response.addCookie(cookie);
    }

    @RequestMapping(value = "/cookie4", method = "GET")
    public void setEverything(@RequestParam String value, HttpServletResponse response) {
        // ok:cookie-missing-samesite
        response.setHeader("Set-Cookie", "key=value; HttpOnly; Secure; SameSite=strict");
        response.addCookie(cookie);
    }

    @RequestMapping(value = "/cookie4", method = "GET")
    public void setEverything(@RequestParam String value, HttpServletResponse response) {
        // ok:cookie-missing-samesite
        response.setHeader("Set-Cookie", null);
    }
}