Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules S3330 and S2092 should support CookieOptions object (missing HttpOnly or Secure flags) #2705

Closed
eric-therond-sonarsource opened this issue Oct 9, 2019 · 0 comments · Fixed by #2779
Closed

Rules S3330 and S2092 should support CookieOptions object (missing HttpOnly or Secure flags) #2705

eric-therond-sonarsource opened this issue Oct 9, 2019 · 0 comments · Fixed by #2779
Assignees
@christophe-zurn-sonarsource
Labels
Area: C# C# rules related issues.
Milestone
8.1

Comments

@eric-therond-sonarsource
Copy link

Description

Improvement of the detection engine for S3330 and S2092 to support CookieOptions object.

Repro steps

You will find non-compliant source code for S3330 and S2092 in this repository:
https://github.com/SonarSource/security-expected-issues/tree/master/dotnet/rules/hotspots

Expected behavior

  • S3330 should raise an issue when HttpOnly property is set to false or if it is not defined (by default the property value is false)
  • S2092 should raise an issue when Secure property is set to false or if it is not defined (by default the property value is false)

Actual behavior

Currently S3330 and S2092 didn't raise issues while CookieOptions object is used in an insecure way.
@agigleux agigleux added the Area: VB.NET VB.NET rules related issues. label Oct 28, 2019
@agigleux agigleux changed the title Rules S3330 and S2092 should report missing security flags on CookieOptions object Rules S3330 and S2092 should support CookieOptions object (missing HttpOnly or Secure flags) Oct 28, 2019
@christophe-zurn-sonarsource christophe-zurn-sonarsource added this to the 8.1 milestone Nov 5, 2019
Merged
@christophe-zurn-sonarsource christophe-zurn-sonarsource removed the Area: VB.NET VB.NET rules related issues. label Dec 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christophe-zurn-sonarsource christophe-zurn-sonarsource

Labels
Area: C# C# rules related issues.
Projects
None yet
Milestone
8.1
Development

Successfully merging a pull request may close this issue.

Support CookieOptions object for rules S3330 and S2092 SonarSource/sonar-dotnet
4 participants
@agigleux @christophe-zurn-sonarsource @andrei-epure-sonarsource @eric-therond-sonarsource