From 4f0bfc567fec416d47ca10bdc72a57f89f5699d8 Mon Sep 17 00:00:00 2001
From: Jonas Wielage <jonas.wielage@sonarsource.com>
Date: Thu, 5 Dec 2024 13:31:59 +0100
Subject: [PATCH] SONARPHP-1582 S3330: Only raise for variable cookies

---
 .../java/org/sonar/php/checks/HttpOnlyCheck.java   | 14 +++++++++++++-
 .../src/test/resources/checks/HttpOnlyCheck.php    | 11 +++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java b/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java
index 777617d0b3..07c53d2ccb 100644
--- a/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java
+++ b/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java
@@ -70,7 +70,7 @@ public void visitFunctionCall(FunctionCallTree tree) {
         createIssueIfHttpOnlyIsFalse(argument.get().value(), tree);
       } else if (tree.callArguments().size() != 3) {
         // if only 3 argument are defined there is an ambiguity so we don't raise issue
-        context().newIssue(this, tree.callee(), MESSAGE);
+        createIssueIfCookieValueIsNotHardcoded(tree);
       }
     }
     if (isSymfonyCookieCreation(tree)) {
@@ -109,4 +109,16 @@ private void createIssueIfHttpOnlyIsFalse(ExpressionTree argument, FunctionCallT
       context().newIssue(this, tree.callee(), MESSAGE).secondary(argument, null);
     }
   }
+
+  private void createIssueIfCookieValueIsNotHardcoded(FunctionCallTree tree) {
+    Optional<CallArgumentTree> cookieValue = CheckUtils.argument(tree, "value", 1);
+    if (cookieValue.isEmpty() || isHardcodedOrNullCookieValue(cookieValue.get())) {
+      return;
+    }
+    context().newIssue(this, tree.callee(), MESSAGE);
+  }
+
+  private static boolean isHardcodedOrNullCookieValue(CallArgumentTree cookieValue) {
+    return cookieValue.value().is(Kind.NULL_LITERAL) || cookieValue.value().is(Kind.REGULAR_STRING_LITERAL);
+  }
 }
diff --git a/php-checks/src/test/resources/checks/HttpOnlyCheck.php b/php-checks/src/test/resources/checks/HttpOnlyCheck.php
index 47686ee355..6a94e51b56 100644
--- a/php-checks/src/test/resources/checks/HttpOnlyCheck.php
+++ b/php-checks/src/test/resources/checks/HttpOnlyCheck.php
@@ -1,5 +1,6 @@
 <?php
 
+
   setcookie($name, $value, $expire, $path, $domain, true, false); // Noncompliant {{Make sure creating this cookie without the "httpOnly" flag is safe here.}}
 //^^^^^^^^^                                               ^^^^^ <
   setrawcookie($name, $value, $expire, $path, $domain, true, false); // Noncompliant {{Make sure creating this cookie without the "httpOnly" flag is safe here.}}
@@ -13,6 +14,16 @@
 setcookie($name, $value, $expire, $path);  // Noncompliant
 setcookie($name, $value); // Noncompliant
 
+
+setcookie("tokenIdentity"); // Compliant; cookie value is empty by default
+setcookie("tokenIdentity", path:"/", value:'foo', expires_or_options:time() - 42000); // Compliant; cookie value is hardcoded
+setcookie(session_name(), '', time() - 3600, '/'); // Compliant; cookie value is hardcoded
+setcookie(session_name(), "", time() - 3600, '/'); // Compliant; cookie value is hardcoded
+\setcookie(\session_name(), null, -1, \OC::$WEBROOT ? : '/'); // Compliant; cookie value is  null
+setcookie("tokenIdentity", 'foo', time() - 42000, "/"); // Compliant; cookie value is hardcoded
+setcookie("tokenIdentity", "foo", time() - 42000, "/"); // Compliant; cookie value is hardcoded
+
+
 setrawcookie($name, $value, $expire, $path, $domain, true, foo(false));
 setrawcookie($name, $value, $expire, $path, $domain, true, true);
 setrawcookie($name, $value, $expire, $path, $domain, false);  // Noncompliant