Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3197

Rule S3330 should report on "setHttpOnly" method when set to "false" and not when initialized

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.14
    • Fix Version/s: 6.1
    • Component/s: Rules
    • Labels:

      Description

      In the following code snippet, implementation of RSPEC-3330 raises an issue on line 5 while there is nothing wrong on this cookie creation.
      The problem is located on line 8 where the method setHttpOnly is called with the argument false.
      In this context, the issue is expected on line 8.

      S3330 should raise an issue if:

      • the cookie is created and there is not call to setHttpOnly in the containing method
      • or the cookie is created and there is a call to setHttpOnly with false as argument

      The issue is correctly reported for S2092 checking the Secure flag.

      Note that S3330 was changed from Security Vulnerability to Security Hotspot.

      import javax.servlet.http.Cookie;
      
      class A {
        void foo() {
          Cookie c = new Cookie("test", "eric"); // actual issue S3330
          System.out.println("secure: " + c.getSecure());
      
          c.setHttpOnly(false); // S3330 should raise issue here
          c.setSecure(false); // True Positive (TP) S2092
        }
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                eric.therond Eric Therond
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: