php.laravel.security.laravel-cookie-secure-set.laravel-cookie-secure-set

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found a configuration file where the secure attribute is not set to 'true'. Setting 'secure' to 'true' prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: laravel-cookie-secure-set
    patterns:
      - pattern: |
          'cookie'
      - pattern-inside: |
          return [
            ...,
            'cookie' => env(...),
            ...
          ];
      - pattern-not-inside: |
          return [
            ...,
            'secure' => true,
            ...
          ];
      - pattern-not-inside: |
          return [
            ...,
            'secure' => env('$NAME', $DEFAULT),
            ...
          ];
    paths:
      include:
        - "*session.php"
    message: "Found a configuration file where the secure attribute is not set to
      'true'. Setting 'secure' to 'true' prevents the client from transmitting
      the cookie over unencrypted channels and therefore prevents cookies from
      being stolen through man in the middle attacks. "
    languages:
      - php
    severity: ERROR
    metadata:
      category: security
      cwe:
        - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
      owasp:
        - A05:2021 - Security Misconfiguration
      technology:
        - php
        - laravel
      references:
        - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security