Initial version of SonarSecureCookie

Author: andrecsilva

src/core_codemods/__init__.py

@@ -89,6 +89,7 @@
     SonarRemoveAssertionInPytestRaises,
 )
 from .sonar.sonar_sandbox_process_creation import SonarSandboxProcessCreation
+from .sonar.sonar_secure_cookie import SonarSecureCookie
 from .sonar.sonar_secure_random import SonarSecureRandom
 from .sonar.sonar_sql_parameterization import SonarSQLParameterization
 from .sonar.sonar_tempfile_mktemp import SonarTempfileMktemp
@@ -204,6 +205,7 @@
         SonarInvertedBooleanCheck,
         SonarTimezoneAwareDatetime,
         SonarSandboxProcessCreation,
+        SonarSecureCookie,
     ],
 )
 

src/core_codemods/secure_flask_cookie.py

@@ -1,9 +1,25 @@
-from core_codemods.api import Metadata, Reference, ReviewGuidance, SimpleCodemod
+from codemodder.codemods.libcst_transformer import (
+    LibcstResultTransformer,
+    LibcstTransformerPipeline,
+)
+from codemodder.codemods.semgrep import SemgrepRuleDetector
+from core_codemods.api import Metadata, Reference, ReviewGuidance
+from core_codemods.api.core_codemod import CoreCodemod
 from core_codemods.secure_cookie_mixin import SecureCookieMixin
 
 
-class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
-    metadata = Metadata(
+class SecureCookieTransformer(LibcstResultTransformer, SecureCookieMixin):
+    change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`."
+
+    def on_result_found(self, original_node, updated_node):
+        new_args = self.replace_args(
+            original_node, self._choose_new_args(original_node)
+        )
+        return self.update_arg_target(updated_node, new_args)
+
+
+SecureFlaskCookie = CoreCodemod(
+    metadata=Metadata(
         name="secure-flask-cookie",
         summary="Use Safe Parameters in `flask` Response `set_cookie` Call",
         review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
@@ -14,11 +30,14 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
             Reference(
                 url="https://owasp.org/www-community/controls/SecureCookieAttribute"
             ),
+            Reference(url="https://cwe.mitre.org/data/definitions/1004"),
+            Reference(url="https://cwe.mitre.org/data/definitions/311"),
+            Reference(url="https://cwe.mitre.org/data/definitions/315"),
             Reference(url="https://cwe.mitre.org/data/definitions/614"),
         ],
-    )
-    change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`."
-    detector_pattern = """
+    ),
+    detector=SemgrepRuleDetector(
+        """
         rules:
           - id: secure-flask-cookie
             mode: taint
@@ -39,10 +58,7 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
                 - pattern: $SINK.set_cookie(...)
                 - pattern-not: $SINK.set_cookie(..., secure=True, ..., httponly=True, ..., samesite="Lax", ...)
                 - pattern-not: $SINK.set_cookie(..., secure=True, ..., httponly=True, ..., samesite="Strict", ...)
-        """
-
-    def on_result_found(self, original_node, updated_node):
-        new_args = self.replace_args(
-            original_node, self._choose_new_args(original_node)
-        )
-        return self.update_arg_target(updated_node, new_args)
+    """
+    ),
+    transformer=LibcstTransformerPipeline(SecureCookieTransformer),
+)

src/core_codemods/sonar/api.py

@@ -15,39 +15,53 @@ def origin(self):
         return "sonar"
 
     @classmethod
-    def from_core_codemod(
+    def from_core_codemod_with_multiple_rules(
         cls,
         name: str,
         other: CoreCodemod,
-        rule_id: str,
-        rule_name: str,
+        rules: list[ToolRule],
         transformer: BaseTransformerPipeline | None = None,
     ):
-        rule_url = sonar_url_from_id(rule_id)
         return SonarCodemod(
             metadata=Metadata(
                 name=name,
                 summary=other.summary,
                 review_guidance=other._metadata.review_guidance,
                 references=(
-                    other.references + [Reference(url=rule_url, description=rule_name)]
+                    other.references
+                    + [Reference(url=tr.url or "", description=tr.name) for tr in rules]
                 ),
                 description=other.description,
                 tool=ToolMetadata(
                     name="Sonar",
-                    rules=[
-                        ToolRule(
-                            id=rule_id,
-                            name=rule_name,
-                            url=rule_url,
-                        )
-                    ],
+                    rules=rules,
                 ),
             ),
             transformer=transformer if transformer else other.transformer,
             detector=SonarDetector(),
             default_extensions=other.default_extensions,
-            requested_rules=[rule_id],
+            requested_rules=[tr.id for tr in rules],
+        )
+
+    @classmethod
+    def from_core_codemod(
+        cls,
+        name: str,
+        other: CoreCodemod,
+        rule_id: str,
+        rule_name: str,
+        transformer: BaseTransformerPipeline | None = None,
+    ):
+        rule_url = sonar_url_from_id(rule_id)
+        rules = [
+            ToolRule(
+                id=rule_id,
+                name=rule_name,
+                url=rule_url,
+            ),
+        ]
+        return cls.from_core_codemod_with_multiple_rules(
+            name, other, rules, transformer
         )
 
 

src/core_codemods/sonar/sonar_secure_cookie.py

@@ -0,0 +1,43 @@
+from codemodder.codemods.base_codemod import ToolRule
+from codemodder.codemods.libcst_transformer import (
+    LibcstResultTransformer,
+    LibcstTransformerPipeline,
+)
+from core_codemods.secure_cookie_mixin import SecureCookieMixin
+from core_codemods.secure_flask_cookie import SecureFlaskCookie
+from core_codemods.sonar.api import SonarCodemod
+
+rules = [
+    ToolRule(
+        id="python:S3330",
+        name='Creating cookies without the "HttpOnly" flag is security-sensitive',
+        url="https://rules.sonarsource.com/python/RSPEC-3330/",
+    ),
+    ToolRule(
+        id="python:S2092",
+        name='Creating cookies without the "secure" flag is security-sensitive',
+        url="ahttps://rules.sonarsource.com/python/RSPEC-2092/",
+    ),
+]
+
+
+class SonarSecureCookieTransformer(LibcstResultTransformer, SecureCookieMixin):
+    change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`."
+
+    def leave_Call(self, original_node, updated_node):
+        # Try to match the func
+        if self.node_is_selected(original_node.func):
+            self.report_change(original_node)
+            new_args = self.replace_args(
+                original_node, self._choose_new_args(original_node)
+            )
+            return self.update_arg_target(updated_node, new_args)
+        return updated_node
+
+
+SonarSecureCookie = SonarCodemod.from_core_codemod_with_multiple_rules(
+    name="secure-cookie",
+    other=SecureFlaskCookie,
+    rules=rules,
+    transformer=LibcstTransformerPipeline(SonarSecureCookieTransformer),
+)