rspec/rules/S2255/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
// === javax.servlet ===
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse; 
import javax.servlet.http.HttpServletRequest;

public class JavaxServlet {
    void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) {
        Cookie cookie = new Cookie("userAccountID", acctID);  // Sensitive
        response.addCookie(cookie);  // Sensitive
    }    
}
----

----
// === javax.ws ===
import java.util.Date;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;

class JavaxWs {
    void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name,
            String value, String path, String domain, int version) {
        Cookie cookie= new Cookie("name", "value");  // Sensitive

        new NewCookie(cookie);  // Sensitive
        new NewCookie(cookie, comment, maxAge, secure);  // Sensitive
        new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly);  // Sensitive
        new NewCookie(name, value);  // Sensitive
        new NewCookie(name, value, path, domain, version, comment, maxAge, secure);  // Sensitive
        new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly);  // Sensitive
        new NewCookie(name, value, path, domain, comment, maxAge, secure);  // Sensitive
        new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly);  // Sensitive
    }
}
----

----
// === java.net ===
import java.net.HttpCookie;

class JavaNet {
    void httpCookie(HttpCookie hc) {
        HttpCookie cookie = new HttpCookie("name", "value");  // Sensitive
        cookie.setValue("value");  // Sensitive
    }
}
----

----
// === apache.shiro ===
import org.apache.shiro.web.servlet.SimpleCookie; 

class ApacheShiro {

    void shiroCookie(SimpleCookie cookie) { 
        SimpleCookie sc = new SimpleCookie(cookie);  // Sensitive
        cookie.setValue("value");  // Sensitive
    }
}
----

----
// === Play ===
import play.mvc.Http.Cookie;
import play.mvc.Http.CookieBuilder;


class Play {
    void playCookie() {
        CookieBuilder builder = Cookie.builder("name", "value");  // Sensitive
        builder.withName("name") 
          .withValue("value")  // Sensitive
          .build();

    } 
}
----

== See

* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://cwe.mitre.org/data/definitions/312[MITRE, CWE-312] - Cleartext Storage of Sensitive Information
* https://cwe.mitre.org/data/definitions/315[MITRE, CWE-315] - Cleartext Storage of Sensitive Information in a Cookie
* https://wiki.sei.cmu.edu/confluence/display/java/FIO52-J.+Do+not+store+unencrypted+sensitive+information+on+the+client+side[CERT, FIO52-J.] - Do not store unencrypted sensitive information on the client side
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[COOKIE_USAGE]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

=== Highlighting

* the ``++value++`` field, ie the second argument of the ``++new Cookie(...)++`` constructor
or

* the parameter of the ``++setValue++`` call on a Cookie object


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]