SONARPHP-1582 S3330: Only raise for variable cookies

SonarSource · Dec 5, 2024 · 4f0bfc5 · 4f0bfc5
1 parent 89aec73
commit 4f0bfc5
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java b/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java
@@ -70,7 +70,7 @@ public void visitFunctionCall(FunctionCallTree tree) {
         createIssueIfHttpOnlyIsFalse(argument.get().value(), tree);
       } else if (tree.callArguments().size() != 3) {
         // if only 3 argument are defined there is an ambiguity so we don't raise issue
-        context().newIssue(this, tree.callee(), MESSAGE);
+        createIssueIfCookieValueIsNotHardcoded(tree);
       }
     }
     if (isSymfonyCookieCreation(tree)) {
@@ -109,4 +109,16 @@ private void createIssueIfHttpOnlyIsFalse(ExpressionTree argument, FunctionCallT
       context().newIssue(this, tree.callee(), MESSAGE).secondary(argument, null);
     }
   }
+
+  private void createIssueIfCookieValueIsNotHardcoded(FunctionCallTree tree) {
+    Optional<CallArgumentTree> cookieValue = CheckUtils.argument(tree, "value", 1);
+    if (cookieValue.isEmpty() || isHardcodedOrNullCookieValue(cookieValue.get())) {
+      return;
+    }
+    context().newIssue(this, tree.callee(), MESSAGE);
+  }
+
+  private static boolean isHardcodedOrNullCookieValue(CallArgumentTree cookieValue) {
+    return cookieValue.value().is(Kind.NULL_LITERAL) || cookieValue.value().is(Kind.REGULAR_STRING_LITERAL);
+  }
 }
diff --git a/php-checks/src/test/resources/checks/HttpOnlyCheck.php b/php-checks/src/test/resources/checks/HttpOnlyCheck.php
@@ -1,5 +1,6 @@
 <?php
 
+
   setcookie($name, $value, $expire, $path, $domain, true, false); // Noncompliant {{Make sure creating this cookie without the "httpOnly" flag is safe here.}}
 //^^^^^^^^^                                               ^^^^^ <
   setrawcookie($name, $value, $expire, $path, $domain, true, false); // Noncompliant {{Make sure creating this cookie without the "httpOnly" flag is safe here.}}
@@ -13,6 +14,16 @@
 setcookie($name, $value, $expire, $path);  // Noncompliant
 setcookie($name, $value); // Noncompliant
 
+
+setcookie("tokenIdentity"); // Compliant; cookie value is empty by default
+setcookie("tokenIdentity", path:"/", value:'foo', expires_or_options:time() - 42000); // Compliant; cookie value is hardcoded
+setcookie(session_name(), '', time() - 3600, '/'); // Compliant; cookie value is hardcoded
+setcookie(session_name(), "", time() - 3600, '/'); // Compliant; cookie value is hardcoded
+\setcookie(\session_name(), null, -1, \OC::$WEBROOT ? : '/'); // Compliant; cookie value is  null
+setcookie("tokenIdentity", 'foo', time() - 42000, "/"); // Compliant; cookie value is hardcoded
+setcookie("tokenIdentity", "foo", time() - 42000, "/"); // Compliant; cookie value is hardcoded
+
+
 setrawcookie($name, $value, $expire, $path, $domain, true, foo(false));
 setrawcookie($name, $value, $expire, $path, $domain, true, true);
 setrawcookie($name, $value, $expire, $path, $domain, false);  // Noncompliant