From 921d04a4295a58a7ab676395bfd47dd36cd8b834 Mon Sep 17 00:00:00 2001 From: "Pieter De Cremer (Semgrep)" Date: Thu, 30 Nov 2023 08:39:52 +0100 Subject: [PATCH] Remove incorrect fix for cookie-issecure-false.yaml This fix is seemingly copied from another rule. This rule checks for missing `setSecure(true)`, but the fix replaces a `setSecure(false)` with a `setSecure(true)`. For a good autofix, this rule needs to be split into two rules: - One for a missing `setSecure` call, that adds one with the right arguments - One for a `setSecure` call with `false` that needs to be replaced with `true`. Neither will need `fix-regex`, but can be fixed with a regular `fix`. --- java/servlets/security/cookie-issecure-false.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/java/servlets/security/cookie-issecure-false.yaml b/java/servlets/security/cookie-issecure-false.yaml index 3d3cb77634..96e23ad321 100644 --- a/java/servlets/security/cookie-issecure-false.yaml +++ b/java/servlets/security/cookie-issecure-false.yaml @@ -10,9 +10,6 @@ rules: message: >- Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks. - fix-regex: - regex: setSecure\(false\) - replacement: setSecure(true) metadata: vulnerability: Insecure Transport owasp: