New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204
Conversation
…ookie flag detection algorithm to handle multiple cookies in one method
…detection when multiple cookies are created
…xample use case found in bug find-sec-bugs#182
); | ||
List<Integer> lines = Arrays.asList(new Integer[] { 68, 79, 88 }); | ||
for (int line : lines) { | ||
verify(reporter, never()).doReportBug( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoid using never() when the property line set. The broken tests could be badly fixed by adding new lines.
Most tests are using this pattern:
- Validate true positive first. (with the specific lines)
- Validate the count of true positive (
verify(reporter,times(X)).bugType("BUG_X").inClass("Class").inMethod("method").build()
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noted.
I pushed a new version of the test file.
…ine numbers with the never() annotation
I will accept the change. On the long term, we will need to generalize the pattern trough a utility class or a base Detector. |
…instance tracker detector
…instance tracker detector
I changed the behavior of the CookieFlagsDetector and it now covers the example found in bug #182 .
It now behaves as a "mini taint detector", some of the default Find-Bugs checks are working like this (like the SqlInjection one) and they seem to work fine.
It first finds the cookie creation call, saves the position of the cookie on the stack and checks if it can find the .setHttpOnly or setSecure method for this object on the stack.