Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204

Merged
merged 5 commits into from Jul 14, 2016
Merged

Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204

merged 5 commits into from Jul 14, 2016

Conversation

MaxNad
Copy link
Member

@MaxNad MaxNad commented Jul 14, 2016

I changed the behavior of the CookieFlagsDetector and it now covers the example found in bug #182 .

It now behaves as a "mini taint detector", some of the default Find-Bugs checks are working like this (like the SqlInjection one) and they seem to work fine.

It first finds the cookie creation call, saves the position of the cookie on the stack and checks if it can find the .setHttpOnly or setSecure method for this object on the stack.

@MaxNad MaxNad added the bug label Jul 14, 2016
h3xstream
h3xstream reviewed Jul 14, 2016
View reviewed changes
plugin/src/test/java/com/h3xstream/findsecbugs/cookie/CookieFlagsDetectorTest.java
);
List<Integer> lines = Arrays.asList(new Integer[] { 68, 79, 88 });
for (int line : lines) {
verify(reporter, never()).doReportBug(
Copy link
Member

@h3xstream h3xstream Jul 14, 2016
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid using never() when the property line set. The broken tests could be badly fixed by adding new lines.

Most tests are using this pattern:

  • Validate true positive first. (with the specific lines)
  • Validate the count of true positive (verify(reporter,times(X)).bugType("BUG_X").inClass("Class").inMethod("method").build())

Copy link
Member Author

@MaxNad MaxNad Jul 14, 2016
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted.
I pushed a new version of the test file.

@h3xstream
Copy link
Member

I will accept the change.

On the long term, we will need to generalize the pattern trough a utility class or a base Detector.
There few detectors where we need to track instances : cookie attribute, XXE and key size for cipher.

@h3xstream h3xstream merged commit 3f70162 into find-sec-bugs:master Jul 14, 2016
@h3xstream h3xstream added the enhancement New feature or improvement to existing detector. label Jul 14, 2016
@h3xstream h3xstream added this to the version-1.5.0 milestone Jul 14, 2016
@MaxNad MaxNad deleted the issue_182 branch July 14, 2016 19:13
MaxNad added a commit to MaxNad/find-sec-bugs that referenced this pull request Jul 27, 2016
@MaxNad
Proposition in find-sec-bugs#204 - Starting to generalize the object …
26c7b7a 
…instance tracker detector
MaxNad added a commit to MaxNad/find-sec-bugs that referenced this pull request Jul 27, 2016
@MaxNad
Proposition in find-sec-bugs#204 - Starting to generalize the object …
6680179 
…instance tracker detector
@MaxNad MaxNad mentioned this pull request Jul 27, 2016
Open
@MaxNad MaxNad mentioned this pull request Sep 7, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug enhancement New feature or improvement to existing detector.
Projects
None yet
Milestone
version-1.5.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@MaxNad @h3xstream