Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Highlighting:
      Hide
      • the value field, ie the second argument of the new Cookie(...) constructor
        or
      • the parameter of the setValue call on a Cookie object
      Show
      the value field, ie the second argument of the new Cookie(...) constructor or the parameter of the setValue call on a Cookie object
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Sensitive Code Example

      // === javax.servlet ===
      import javax.servlet.http.Cookie;
      import javax.servlet.http.HttpServletResponse; 
      import javax.servlet.http.HttpServletRequest;
      
      public class JavaxServlet {
          void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) {
              Cookie cookie = new Cookie("userAccountID", acctID);  // Sensitive
              response.addCookie(cookie);  // Sensitive
          }    
      }
      
      // === javax.ws ===
      import java.util.Date;
      import javax.ws.rs.core.Cookie;
      import javax.ws.rs.core.NewCookie;
      
      class JavaxWs {
          void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name,
                  String value, String path, String domain, int version) {
              Cookie cookie= new Cookie("name", "value");  // Sensitive
          
              new NewCookie(cookie);  // Sensitive
              new NewCookie(cookie, comment, maxAge, secure);  // Sensitive
              new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly);  // Sensitive
              new NewCookie(name, value);  // Sensitive
              new NewCookie(name, value, path, domain, version, comment, maxAge, secure);  // Sensitive
              new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly);  // Sensitive
              new NewCookie(name, value, path, domain, comment, maxAge, secure);  // Sensitive
              new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly);  // Sensitive
          }
      }
      
      // === java.net ===
      import java.net.HttpCookie;
      
      class JavaNet {
          void httpCookie(HttpCookie hc) {
              HttpCookie cookie = new HttpCookie("name", "value");  // Sensitive
              cookie.setValue("value");  // Sensitive
          }
      }
      
      // === apache.shiro ===
      import org.apache.shiro.web.servlet.SimpleCookie; 
      
      class ApacheShiro {
      
          void shiroCookie(SimpleCookie cookie) { 
              SimpleCookie sc = new SimpleCookie(cookie);  // Sensitive
              cookie.setValue("value");  // Sensitive
          }
      }
      
      // === Play ===
      import play.mvc.Http.Cookie;
      import play.mvc.Http.CookieBuilder;
      
      
      class Play {
          void playCookie() {
              CookieBuilder builder = Cookie.builder("name", "value");  // Sensitive
              builder.withName("name") 
                .withValue("value")  // Sensitive
                .build();
      
          } 
      }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              alexandre.gigleux Alexandre Gigleux
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: