Initial version of SonarSecureCookie

andrecsilva · andrecsilva · commit 01195fea7b4e · 2025-01-16T10:00:14.000-03:00
diff --git a/src/core_codemods/__init__.py b/src/core_codemods/__init__.py
@@ -89,6 +89,7 @@
     SonarRemoveAssertionInPytestRaises,
 )
 from .sonar.sonar_sandbox_process_creation import SonarSandboxProcessCreation
+from .sonar.sonar_secure_cookie import SonarSecureCookie
 from .sonar.sonar_secure_random import SonarSecureRandom
 from .sonar.sonar_sql_parameterization import SonarSQLParameterization
 from .sonar.sonar_tempfile_mktemp import SonarTempfileMktemp
@@ -204,6 +205,7 @@
         SonarInvertedBooleanCheck,
         SonarTimezoneAwareDatetime,
         SonarSandboxProcessCreation,
+        SonarSecureCookie,
     ],
 )
 
diff --git a/src/core_codemods/secure_flask_cookie.py b/src/core_codemods/secure_flask_cookie.py
@@ -1,9 +1,23 @@
-from core_codemods.api import Metadata, Reference, ReviewGuidance, SimpleCodemod
+from codemodder.codemods.libcst_transformer import (
+    LibcstResultTransformer,
+    LibcstTransformerPipeline,
+)
+from codemodder.codemods.semgrep import SemgrepRuleDetector
+from core_codemods.api import Metadata, Reference, ReviewGuidance
+from core_codemods.api.core_codemod import CoreCodemod
 from core_codemods.secure_cookie_mixin import SecureCookieMixin
 
 
-class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
-    metadata = Metadata(
+class SecureCookieTransformer(LibcstResultTransformer, SecureCookieMixin):
+    def on_result_found(self, original_node, updated_node):
+        new_args = self.replace_args(
+            original_node, self._choose_new_args(original_node)
+        )
+        return self.update_arg_target(updated_node, new_args)
+
+
+SecureFlaskCookie = CoreCodemod(
+    metadata=Metadata(
         name="secure-flask-cookie",
         summary="Use Safe Parameters in `flask` Response `set_cookie` Call",
         review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
@@ -14,10 +28,14 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
             Reference(
                 url="https://owasp.org/www-community/controls/SecureCookieAttribute"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/1004"),
+            Reference(url="https://cwe.mitre.org/data/definitions/311"),
+            Reference(url="https://cwe.mitre.org/data/definitions/315"),
+            Reference(url="https://cwe.mitre.org/data/definitions/614"),
         ],
-    )
-    change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`."
-    detector_pattern = """
+    ),
+    detector=SemgrepRuleDetector(
+        """
         rules:
           - id: secure-flask-cookie
             mode: taint
@@ -38,10 +56,7 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
                 - pattern: $SINK.set_cookie(...)
                 - pattern-not: $SINK.set_cookie(..., secure=True, ..., httponly=True, ..., samesite="Lax", ...)
                 - pattern-not: $SINK.set_cookie(..., secure=True, ..., httponly=True, ..., samesite="Strict", ...)
-        """
-
-    def on_result_found(self, original_node, updated_node):
-        new_args = self.replace_args(
-            original_node, self._choose_new_args(original_node)
-        )
-        return self.update_arg_target(updated_node, new_args)
+    """
+    ),
+    transformer=LibcstTransformerPipeline(SecureCookieTransformer),
+)
diff --git a/src/core_codemods/sonar/api.py b/src/core_codemods/sonar/api.py
@@ -15,39 +15,53 @@ def origin(self):
         return "sonar"
 
     @classmethod
-    def from_core_codemod(
+    def from_core_codemod_with_multiple_rules(
         cls,
         name: str,
         other: CoreCodemod,
-        rule_id: str,
-        rule_name: str,
+        rules: list[ToolRule],
         transformer: BaseTransformerPipeline | None = None,
     ):
-        rule_url = sonar_url_from_id(rule_id)
         return SonarCodemod(
             metadata=Metadata(
                 name=name,
                 summary=other.summary,
                 review_guidance=other._metadata.review_guidance,
                 references=(
-                    other.references + [Reference(url=rule_url, description=rule_name)]
+                    other.references
+                    + [Reference(url=tr.url or "", description=tr.name) for tr in rules]
                 ),
                 description=other.description,
                 tool=ToolMetadata(
                     name="Sonar",
-                    rules=[
-                        ToolRule(
-                            id=rule_id,
-                            name=rule_name,
-                            url=rule_url,
-                        )
-                    ],
+                    rules=rules,
                 ),
             ),
             transformer=transformer if transformer else other.transformer,
             detector=SonarDetector(),
             default_extensions=other.default_extensions,
-            requested_rules=[rule_id],
+            requested_rules=[tr.id for tr in rules],
+        )
+
+    @classmethod
+    def from_core_codemod(
+        cls,
+        name: str,
+        other: CoreCodemod,
+        rule_id: str,
+        rule_name: str,
+        transformer: BaseTransformerPipeline | None = None,
+    ):
+        rule_url = sonar_url_from_id(rule_id)
+        rules = [
+            ToolRule(
+                id=rule_id,
+                name=rule_name,
+                url=rule_url,
+            ),
+        ]
+        return cls.from_core_codemod_with_multiple_rules(
+            name, other, rules, transformer
         )
 
 
diff --git a/src/core_codemods/sonar/sonar_secure_cookie.py b/src/core_codemods/sonar/sonar_secure_cookie.py
@@ -0,0 +1,22 @@
+from codemodder.codemods.base_codemod import ToolRule
+from core_codemods.secure_flask_cookie import SecureFlaskCookie
+from core_codemods.sonar.api import SonarCodemod
+
+rules = [
+    ToolRule(
+        id="python:S3330",
+        name='Creating cookies without the "HttpOnly" flag is security-sensitive',
+        url="https://rules.sonarsource.com/python/RSPEC-3330/",
+    ),
+    ToolRule(
+        id="python:S2092",
+        name='Creating cookies without the "secure" flag is security-sensitive',
+        url="ahttps://rules.sonarsource.com/python/RSPEC-2092/",
+    ),
+]
+
+SonarSecureCookie = SonarCodemod.from_core_codemod_with_multiple_rules(
+    name="secure-random",
+    other=SecureFlaskCookie,
+    rules=rules,
+)

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,7 @@`
`89`	`89`	`SonarRemoveAssertionInPytestRaises,`
`90`	`90`	`)`
`91`	`91`	`from .sonar.sonar_sandbox_process_creation import SonarSandboxProcessCreation`
	`92`	`+from .sonar.sonar_secure_cookie import SonarSecureCookie`
`92`	`93`	`from .sonar.sonar_secure_random import SonarSecureRandom`
`93`	`94`	`from .sonar.sonar_sql_parameterization import SonarSQLParameterization`
`94`	`95`	`from .sonar.sonar_tempfile_mktemp import SonarTempfileMktemp`
`@@ -204,6 +205,7 @@`
`204`	`205`	`SonarInvertedBooleanCheck,`
`205`	`206`	`SonarTimezoneAwareDatetime,`
`206`	`207`	`SonarSandboxProcessCreation,`
	`208`	`+ SonarSecureCookie,`
`207`	`209`	`],`
`208`	`210`	`)`
`209`	`211`