php.laravel.security.laravel-cookie-long-timeout.laravel-cookie-long-timeout

semgrep

Author

unknown

Download Count*

LGPL Commons Clause

License

Found a configuration file where the lifetime attribute is over 30 minutes.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: laravel-cookie-long-timeout
    patterns:
      - pattern: |
          'lifetime'
      - pattern-inside: |
          return [
            ...,
            'lifetime' => $TIME,
            ...
          ];
      - pattern-not-inside: |
          return [
            ...,
            'lifetime' => env("$VAR", $DEFAULT),
            ...
          ];
      - metavariable-comparison:
          metavariable: $TIME
          comparison: $TIME > 30
    paths:
      include:
        - "*session.php"
    message: Found a configuration file where the lifetime attribute is over 30 minutes.
    languages:
      - php
    severity: ERROR
    metadata:
      category: security
      cwe:
        - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
      owasp:
        - A05:2021 - Security Misconfiguration
      technology:
        - php
        - laravel
      references:
        - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security

Short Link: https://sg.run/P1R0