kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly

profile photo of returntocorpreturntocorp
Author
167
Download Count*
LGPL Commons Clause
License

A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: cookie-missing-httponly
    metadata:
      cwe:
        - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
      owasp:
        - A05:2021 - Security Misconfiguration
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE
      category: security
      technology:
        - kt
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security
    message: A cookie was detected without setting the 'HttpOnly' flag. The
      'HttpOnly' flag for cookies instructs the browser to forbid client-side
      scripts from reading the cookie. Set the 'HttpOnly' flag by calling
      'cookie.setHttpOnly(true);'
    severity: WARNING
    languages:
      - kt
    patterns:
      - pattern-not-inside: |
          $COOKIE.setValue("")
          ...
      - pattern-either:
          - pattern: $COOKIE.setHttpOnly(false)
          - patterns:
              - pattern-not-inside: |
                  $COOKIE.setHttpOnly(...)
                  ...
              - pattern: $RESPONSE.addCookie($COOKIE)

Examples

cookie-missing-httponly.kt

public class CookieController {
    public fun setCookie(value: String, response: HttpServletResponse) {
        val cookie: Cookie = Cookie("cookie", value)
        // ruleid: cookie-missing-httponly
        response.addCookie(cookie)
    }

    public fun setSecureCookie(value: String, response: HttpServletResponse) {
        val cookie: Cookie = Cookie("cookie", value)
        cookie.setSecure(true)
        // ruleid: cookie-missing-httponly
        response.addCookie(cookie)
    }

    public fun setSecureHttponlyCookie(value: String, response: HttpServletResponse ) {
        val cookie: Cookie = Cookie("cookie", value)
        cookie.setSecure(true)
        cookie.setHttpOnly(true)
        // ok: cookie-missing-httponly
        response.addCookie(cookie)
    }

    public fun explicitDisable(value: String, response: HttpServletResponse) {
        val cookie: Cookie = Cookie("cookie", value)
        cookie.setSecure(false)
        // ruleid:cookie-missing-httponly
        cookie.setHttpOnly(false)
        response.addCookie(cookie)
    }
}