New Published Rules - federicobellini.session-cookie-samesitenone (#3361

) * add federicobellini/session-cookie-samesitenone.yaml * add federicobellini/session-cookie-samesitenone.go * move session-cookie-samesitenone rule to go/gorilla folder --------- Co-authored-by: semgrep.dev <support@r2c.dev> Co-authored-by: Vasilii <inkz@xakep.ru>
semgrep · May 8, 2024 · 0502383 · 0502383
1 parent 6d94071
commit 0502383
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 0 deletions.
diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.go b/go/gorilla/security/audit/session-cookie-samesitenone.go
@@ -0,0 +1,40 @@
+package main
+
+import (
+    "net/http"
+    "github.com/gorilla/sessions"
+)
+
+var store = sessions.NewCookieStore([]byte(""))
+
+func setSessionWithSameSiteNone(w http.ResponseWriter, r *http.Request) {
+    session, _ := store.Get(r, "session-name")
+    // ruleid: session-cookie-samesitenone
+    session.Options = &sessions.Options{
+        Path:     "/",
+        MaxAge:   3600,
+        HttpOnly: true,
+        Secure:   true,
+        SameSite: http.SameSiteNoneMode,
+    }
+    session.Save(r, w)
+}
+
+func setSessionWithSameSiteStrict(w http.ResponseWriter, r *http.Request) {
+    session, _ := store.Get(r, "session-name")
+    // ok: session-cookie-samesitenone
+    session.Options = &sessions.Options{
+        Path:     "/",
+        MaxAge:   3600,
+        HttpOnly: true,
+        Secure:   true,
+        SameSite: http.SameSiteStrictMode,
+    }
+    session.Save(r, w)
+}
+
+func main() {
+    http.HandleFunc("/set-none", setSessionWithSameSiteNone)
+    http.HandleFunc("/set-strict", setSessionWithSameSiteStrict)
+    http.ListenAndServe(":8080", nil)
+}
diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.yaml b/go/gorilla/security/audit/session-cookie-samesitenone.yaml
@@ -0,0 +1,36 @@
+rules:
+- id: session-cookie-samesitenone
+  patterns:
+  - pattern-inside: |
+      &sessions.Options{
+        ...,
+        SameSite: http.SameSiteNoneMode,
+        ...,
+      }
+  - pattern: |
+      &sessions.Options{
+        ...,
+      }
+  message: Found SameSiteNoneMode setting in Gorilla session options. Consider setting
+    SameSite to Lax, Strict or Default for enhanced security.
+  metadata:
+    cwe:
+    - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute'
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    references:
+    - https://pkg.go.dev/github.com/gorilla/sessions#Options
+    category: security
+    technology:
+    - gorilla
+    confidence: MEDIUM
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  fix-regex:
+    regex: (SameSite\s*:\s+)http.SameSiteNoneMode
+    replacement: \1http.SameSiteDefaultMode
+  severity: WARNING
+  languages:
+  - go