search

nahsra / WebGoat_12_23

Other
0 stars 2 forks source link

(CodeQL) Fixed finding: "Add secure flag to HTTP cookies" #31

Closed pixeebot[bot] closed 4 months ago

pixeebot[bot] commented 4 months ago

Remediation

This change fixes "Add secure flag to HTTP cookies" (id = insecure-cookie) identified by CodeQL.

Details

This change marks new cookies sent in the HTTP with the "secure" flag. This flag, despite its ambitious name, only provides one type of protection: confidentiality. Cookies with this flag are guaranteed by the browser never to be sent over a cleartext channel ("http://") and only sent over secure channels ("https://").

Our change introduces this flag with a simple 1-line statement:

  Cookie cookie = new Cookie("my_cookie", userCookieValue);
+ cookie.setSecure(true);
  response.addCookie(cookie);

Note: this code change may cause issues with the application if any of the places this code runs (in CI, pre-production or in production) are running in non-HTTPS protocol.

More reading * [https://codeql.github.com/codeql-query-help/java/java-insecure-cookie/](https://codeql.github.com/codeql-query-help/java/java-insecure-cookie/) * [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute) * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) * [https://cwe.mitre.org/data/definitions/614.html](https://cwe.mitre.org/data/definitions/614.html)

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: codeql:java/insecure-cookie

sonarcloud[bot] commented 4 months ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

pixeebot[bot] commented 4 months ago

I'm confident in this change, and the CI checks pass, too!

If you see any reason not to merge this, or you have suggestions for improvements, please let me know!

pixeebot[bot] commented 4 months ago

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!

pixeebot[bot] commented 4 months ago

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.