add secure flag remediation mapping

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java

@@ -90,6 +90,7 @@ public static List<Class<? extends CodeChanger>> asList() {
         SemgrepOverlyPermissiveFilePermissionsCodemod.class,
         SimplifyRestControllerAnnotationsCodemod.class,
         SubstituteReplaceAllCodemod.class,
+        SonarCookieMissingSecureFlagCodemod.class,
         SonarJNDIInjectionCodemod.class,
         SonarObjectDeserializationCodemod.class,
         SonarRemoveUnthrowableExceptionCodemod.class,

core-codemods/src/main/java/io/codemodder/codemods/sonar/SonarCookieMissingSecureFlagCodemod.java

@@ -0,0 +1,62 @@
+package io.codemodder.codemods.sonar;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleHotspot;
+import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.missingsecureflag.MissingSecureFlagRemediator;
+import io.codemodder.sonar.model.Hotspot;
+import io.codemodder.sonar.model.SonarFinding;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.inject.Inject;
+
+@Codemod(
+    id = "sonar:java/cookie-missing-secure-flag-2092",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
+    importance = Importance.HIGH,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class SonarCookieMissingSecureFlagCodemod extends SonarRemediatingJavaParserChanger {
+
+  private final Remediator<Hotspot> remediationStrategy;
+  private final RuleHotspot issues;
+
+  @Inject
+  public SonarCookieMissingSecureFlagCodemod(
+      @ProvidedSonarScan(ruleId = "java:S2092") final RuleHotspot hotspots) {
+    super(GenericRemediationMetadata.MISSING_SECURE_FLAG.reporter(), hotspots);
+    this.issues = Objects.requireNonNull(hotspots);
+    this.remediationStrategy = new MissingSecureFlagRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "java:S2092",
+        "Make sure creating this cookie without the \"secure\" flag is safe here.",
+        "https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-2092/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    List<Hotspot> issuesForFile = issues.getResultsByPath(context.path());
+    return remediationStrategy.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        issuesForFile,
+        SonarFinding::getKey,
+        i -> i.getTextRange() != null ? i.getTextRange().getStartLine() : i.getLine(),
+        i ->
+            i.getTextRange() != null
+                ? Optional.of(i.getTextRange().getEndLine())
+                : Optional.empty(),
+        i -> Optional.empty());
+  }
+}

core-codemods/src/test/java/io/codemodder/codemods/sonar/SonarCookieMissingSecureFlagCodemodTest.java

@@ -0,0 +1,19 @@
+package io.codemodder.codemods.sonar;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+import org.junit.jupiter.api.Nested;
+
+final class SonarCookieMissingSecureFlagCodemodTest {
+
+  @Nested
+  @Metadata(
+      codemodType = SonarCookieMissingSecureFlagCodemod.class,
+      testResourceDir = "sonar-missing-secure-flag-2092",
+      renameTestFile =
+          "src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java",
+      expectingFixesAtLines = {76},
+      doRetransformTest = false,
+      dependencies = {})
+  final class SpoofCookieAssignmentTest implements CodemodTestMixin {}
+}

core-codemods/src/test/resources/sonar-missing-secure-flag-2092/SpoofCookieAssignment.java.after

@@ -0,0 +1,126 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.spoofcookie;
+
+import java.util.Map;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
+import org.springframework.web.bind.UnsatisfiedServletRequestParameterException;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@RestController
+public class SpoofCookieAssignment extends AssignmentEndpoint {
+
+  private static final String COOKIE_NAME = "spoof_auth";
+  private static final String COOKIE_INFO =
+      "Cookie details for user %s:<br />" + COOKIE_NAME + "=%s";
+  private static final String ATTACK_USERNAME = "tom";
+
+  private static final Map<String, String> users =
+      Map.of("webgoat", "webgoat", "admin", "admin", ATTACK_USERNAME, "apasswordfortom");
+
+  @PostMapping(path = "/SpoofCookie/login")
+  @ResponseBody
+  @ExceptionHandler(UnsatisfiedServletRequestParameterException.class)
+  public AttackResult login(
+      @RequestParam String username,
+      @RequestParam String password,
+      @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
+      HttpServletResponse response) {
+
+    if (StringUtils.isEmpty(cookieValue)) {
+      return credentialsLoginFlow(username, password, response);
+    } else {
+      return cookieLoginFlow(cookieValue);
+    }
+  }
+
+  @GetMapping(path = "/SpoofCookie/cleanup")
+  public void cleanup(HttpServletResponse response) {
+    Cookie cookie = new Cookie(COOKIE_NAME, "");
+    cookie.setSecure(true);
+    cookie.setMaxAge(0);
+    response.addCookie(cookie);
+  }
+
+  private AttackResult credentialsLoginFlow(
+      String username, String password, HttpServletResponse response) {
+    String lowerCasedUsername = username.toLowerCase();
+    if (ATTACK_USERNAME.equals(lowerCasedUsername)
+        && users.get(lowerCasedUsername).equals(password)) {
+      return informationMessage(this).feedback("spoofcookie.cheating").build();
+    }
+
+    String authPassword = users.getOrDefault(lowerCasedUsername, "");
+    if (!authPassword.isBlank() && authPassword.equals(password)) {
+      String newCookieValue = EncDec.encode(lowerCasedUsername);
+      Cookie newCookie = new Cookie(COOKIE_NAME, newCookieValue);
+      newCookie.setPath("/WebGoat");
+      newCookie.setSecure(true);
+      response.addCookie(newCookie);
+      return informationMessage(this)
+          .feedback("spoofcookie.login")
+          .output(String.format(COOKIE_INFO, lowerCasedUsername, newCookie.getValue()))
+          .build();
+    }
+
+    return informationMessage(this).feedback("spoofcookie.wrong-login").build();
+  }
+
+  private AttackResult cookieLoginFlow(String cookieValue) {
+    String cookieUsername;
+    try {
+      cookieUsername = EncDec.decode(cookieValue).toLowerCase();
+    } catch (Exception e) {
+      // for providing some instructive guidance, we won't return 4xx error here
+      return failed(this).output(e.getMessage()).build();
+    }
+    if (users.containsKey(cookieUsername)) {
+      if (cookieUsername.equals(ATTACK_USERNAME)) {
+        return success(this).build();
+      }
+      return failed(this)
+          .feedback("spoofcookie.cookie-login")
+          .output(String.format(COOKIE_INFO, cookieUsername, cookieValue))
+          .build();
+    }
+
+    return failed(this).feedback("spoofcookie.wrong-cookie").build();
+  }
+}

core-codemods/src/test/resources/sonar-missing-secure-flag-2092/SpoofCookieAssignment.java.before

@@ -0,0 +1,125 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.spoofcookie;
+
+import java.util.Map;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
+import org.springframework.web.bind.UnsatisfiedServletRequestParameterException;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@RestController
+public class SpoofCookieAssignment extends AssignmentEndpoint {
+
+  private static final String COOKIE_NAME = "spoof_auth";
+  private static final String COOKIE_INFO =
+      "Cookie details for user %s:<br />" + COOKIE_NAME + "=%s";
+  private static final String ATTACK_USERNAME = "tom";
+
+  private static final Map<String, String> users =
+      Map.of("webgoat", "webgoat", "admin", "admin", ATTACK_USERNAME, "apasswordfortom");
+
+  @PostMapping(path = "/SpoofCookie/login")
+  @ResponseBody
+  @ExceptionHandler(UnsatisfiedServletRequestParameterException.class)
+  public AttackResult login(
+      @RequestParam String username,
+      @RequestParam String password,
+      @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
+      HttpServletResponse response) {
+
+    if (StringUtils.isEmpty(cookieValue)) {
+      return credentialsLoginFlow(username, password, response);
+    } else {
+      return cookieLoginFlow(cookieValue);
+    }
+  }
+
+  @GetMapping(path = "/SpoofCookie/cleanup")
+  public void cleanup(HttpServletResponse response) {
+    Cookie cookie = new Cookie(COOKIE_NAME, "");
+    cookie.setMaxAge(0);
+    response.addCookie(cookie);
+  }
+
+  private AttackResult credentialsLoginFlow(
+      String username, String password, HttpServletResponse response) {
+    String lowerCasedUsername = username.toLowerCase();
+    if (ATTACK_USERNAME.equals(lowerCasedUsername)
+        && users.get(lowerCasedUsername).equals(password)) {
+      return informationMessage(this).feedback("spoofcookie.cheating").build();
+    }
+
+    String authPassword = users.getOrDefault(lowerCasedUsername, "");
+    if (!authPassword.isBlank() && authPassword.equals(password)) {
+      String newCookieValue = EncDec.encode(lowerCasedUsername);
+      Cookie newCookie = new Cookie(COOKIE_NAME, newCookieValue);
+      newCookie.setPath("/WebGoat");
+      newCookie.setSecure(true);
+      response.addCookie(newCookie);
+      return informationMessage(this)
+          .feedback("spoofcookie.login")
+          .output(String.format(COOKIE_INFO, lowerCasedUsername, newCookie.getValue()))
+          .build();
+    }
+
+    return informationMessage(this).feedback("spoofcookie.wrong-login").build();
+  }
+
+  private AttackResult cookieLoginFlow(String cookieValue) {
+    String cookieUsername;
+    try {
+      cookieUsername = EncDec.decode(cookieValue).toLowerCase();
+    } catch (Exception e) {
+      // for providing some instructive guidance, we won't return 4xx error here
+      return failed(this).output(e.getMessage()).build();
+    }
+    if (users.containsKey(cookieUsername)) {
+      if (cookieUsername.equals(ATTACK_USERNAME)) {
+        return success(this).build();
+      }
+      return failed(this)
+          .feedback("spoofcookie.cookie-login")
+          .output(String.format(COOKIE_INFO, cookieUsername, cookieValue))
+          .build();
+    }
+
+    return failed(this).feedback("spoofcookie.wrong-cookie").build();
+  }
+}

core-codemods/src/test/resources/sonar-missing-secure-flag-2092/sonar-hotspots.json

@@ -0,0 +1,48 @@
+{
+  "paging": {
+    "pageIndex": 1,
+    "pageSize": 100,
+    "total": 1
+  },
+  "hotspots": [
+    {
+      "key": "AZPB23bawGhA7VQ2Ui-U",
+      "component": "nahsra_WebGoatSonarDemo:src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java",
+      "project": "nahsra_WebGoatSonarDemo",
+      "securityCategory": "insecure-conf",
+      "vulnerabilityProbability": "LOW",
+      "status": "TO_REVIEW",
+      "line": 76,
+      "message": "Make sure creating this cookie without the \"secure\" flag is safe here.",
+      "assignee": "AYu2RswFLuhbfWU895e4",
+      "author": "[email protected]",
+      "creationDate": "2024-12-13T22:06:37+0100",
+      "updateDate": "2024-12-13T22:09:25+0100",
+      "textRange": {
+        "startLine": 76,
+        "endLine": 76,
+        "startOffset": 24,
+        "endOffset": 30
+      },
+      "flows": [],
+      "ruleKey": "java:S2092"
+    }
+  ],
+  "components": [
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoatSonarDemo:src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java",
+      "qualifier": "FIL",
+      "name": "SpoofCookieAssignment.java",
+      "longName": "src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java",
+      "path": "src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java"
+    },
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoatSonarDemo",
+      "qualifier": "TRK",
+      "name": "WebGoatSonarDemo",
+      "longName": "WebGoatSonarDemo"
+    }
+  ]
+}