# This is a combination of 2 commits.

# This is the 1st commit message:

started

Ready for test checks

spotless

fixing tests

Some more tests fixed

spotless

Some more fixes

spotless

Quota test added

cleanup

small optimization in HttpResponseHeaderModuleImpl

optimization

test fixes

spotless

# This is the commit message #2:

fix a import missing from master rebase

Author: DDJavierSantos

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastSystem.java

@@ -6,9 +6,11 @@
 import com.datadog.iast.propagation.PropagationModuleImpl;
 import com.datadog.iast.propagation.StringModuleImpl;
 import com.datadog.iast.sink.CommandInjectionModuleImpl;
+import com.datadog.iast.sink.HttpResponseHeaderModuleImpl;
 import com.datadog.iast.sink.InsecureCookieModuleImpl;
 import com.datadog.iast.sink.LdapInjectionModuleImpl;
 import com.datadog.iast.sink.NoHttpOnlyCookieModuleImpl;
+import com.datadog.iast.sink.NoSameSiteCookieModuleImpl;
 import com.datadog.iast.sink.PathTraversalModuleImpl;
 import com.datadog.iast.sink.SqlInjectionModuleImpl;
 import com.datadog.iast.sink.SsrfModuleImpl;
@@ -90,8 +92,10 @@ private static Stream<IastModule> iastModules() {
         new WeakHashModuleImpl(),
         new LdapInjectionModuleImpl(),
         new PropagationModuleImpl(),
+        new HttpResponseHeaderModuleImpl(),
         new InsecureCookieModuleImpl(),
         new NoHttpOnlyCookieModuleImpl(),
+        new NoSameSiteCookieModuleImpl(),
         new SsrfModuleImpl(),
         new UnvalidatedRedirectModuleImpl(),
         new WeakRandomnessModuleImpl());

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java

@@ -11,6 +11,9 @@ public interface VulnerabilityType {
   VulnerabilityType INSECURE_COOKIE = new VulnerabilityTypeImpl(VulnerabilityTypes.INSECURE_COOKIE);
   VulnerabilityType NO_HTTPONLY_COOKIE =
       new VulnerabilityTypeImpl(VulnerabilityTypes.NO_HTTPONLY_COOKIE);
+  VulnerabilityType NO_SAMESITE_COOKIE =
+      new VulnerabilityTypeImpl(VulnerabilityTypes.NO_SAMESITE_COOKIE);
+
   InjectionType SQL_INJECTION = new InjectionTypeImpl(VulnerabilityTypes.SQL_INJECTION, ' ');
   InjectionType COMMAND_INJECTION =
       new InjectionTypeImpl(VulnerabilityTypes.COMMAND_INJECTION, ' ');

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/HttpResponseHeaderModuleImpl.java

@@ -0,0 +1,66 @@
+package com.datadog.iast.sink;
+
+import com.datadog.iast.model.Evidence;
+import com.datadog.iast.model.Location;
+import com.datadog.iast.model.Vulnerability;
+import com.datadog.iast.model.VulnerabilityType;
+import com.datadog.iast.overhead.Operations;
+import com.datadog.iast.util.CookieSecurityDetails;
+import com.datadog.iast.util.CookieSecurityParser;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.sink.HttpResponseHeaderModule;
+import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import java.util.Arrays;
+import java.util.List;
+import javax.annotation.Nonnull;
+
+public class HttpResponseHeaderModuleImpl extends SinkModuleBase
+    implements HttpResponseHeaderModule {
+  private static final String SET_COOKIE_HEADER = "Set-Cookie";
+
+  @Override
+  public void onHeader(@Nonnull final String name, final String value) {
+    if (SET_COOKIE_HEADER.equalsIgnoreCase(name)) {
+      CookieSecurityParser cookieSecurityInfo = new CookieSecurityParser(value);
+      onCookies(cookieSecurityInfo.getBadCookies());
+    }
+    if (null != InstrumentationBridge.UNVALIDATED_REDIRECT) {
+      InstrumentationBridge.UNVALIDATED_REDIRECT.onHeader(name, value);
+    }
+  }
+
+  private void onCookies(List<CookieSecurityDetails> vulnerableCookies) {
+    for (CookieSecurityDetails cookie : vulnerableCookies) {
+      final AgentSpan span = AgentTracer.activeSpan();
+      if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span)) {
+        return;
+      }
+      Location location = Location.forSpanAndStack(spanId(span), getCurrentStackTrace());
+      Evidence evidence = new Evidence(cookie.getCookieName());
+      if (!cookie.isSecure() && null != InstrumentationBridge.INSECURE_COOKIE) {
+        reporter.report(
+            span, new Vulnerability(VulnerabilityType.INSECURE_COOKIE, location, evidence));
+      }
+      if (!cookie.isHttpOnly() && null != InstrumentationBridge.NO_HTTPONLY_COOKIE) {
+        reporter.report(
+            span, new Vulnerability(VulnerabilityType.NO_HTTPONLY_COOKIE, location, evidence));
+      }
+      if (!cookie.isSameSiteStrict() && null != InstrumentationBridge.NO_SAMESITE_COOKIE) {
+        reporter.report(
+            span, new Vulnerability(VulnerabilityType.NO_SAMESITE_COOKIE, location, evidence));
+      }
+    }
+  }
+
+  @Override
+  public void onCookie(
+      @Nonnull final String name,
+      final boolean isSecure,
+      final boolean isHttpOnly,
+      final boolean isSameSiteStrict) {
+    CookieSecurityDetails details =
+        new CookieSecurityDetails(name, isSecure, isHttpOnly, isSameSiteStrict);
+    onCookies(Arrays.asList(details));
+  }
+}

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/InsecureCookieModuleImpl.java

@@ -1,28 +1,5 @@
 package com.datadog.iast.sink;
 
-import com.datadog.iast.model.Evidence;
-import com.datadog.iast.model.VulnerabilityType;
-import com.datadog.iast.overhead.Operations;
 import datadog.trace.api.iast.sink.InsecureCookieModule;
-import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
-import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
-import javax.annotation.Nonnull;
 
-public class InsecureCookieModuleImpl extends SinkModuleBase implements InsecureCookieModule {
-
-  @Override
-  public void onCookie(
-      @Nonnull final String name,
-      final String value,
-      final boolean isSecure,
-      final boolean isHttpOnly,
-      final String sameSite) {
-    if (!isSecure) {
-      final AgentSpan span = AgentTracer.activeSpan();
-      if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span)) {
-        return;
-      }
-      report(span, VulnerabilityType.INSECURE_COOKIE, new Evidence(name));
-    }
-  }
-}
+public class InsecureCookieModuleImpl extends SinkModuleBase implements InsecureCookieModule {}

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/NoHttpOnlyCookieModuleImpl.java

@@ -1,28 +1,5 @@
 package com.datadog.iast.sink;
 
-import com.datadog.iast.model.Evidence;
-import com.datadog.iast.model.VulnerabilityType;
-import com.datadog.iast.overhead.Operations;
 import datadog.trace.api.iast.sink.NoHttpOnlyCookieModule;
-import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
-import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
-import javax.annotation.Nonnull;
 
-public class NoHttpOnlyCookieModuleImpl extends SinkModuleBase implements NoHttpOnlyCookieModule {
-
-  @Override
-  public void onCookie(
-      @Nonnull final String name,
-      final String value,
-      final boolean isSecure,
-      final boolean isHttpOnly,
-      final String sameSite) {
-    if (!isHttpOnly) {
-      final AgentSpan span = AgentTracer.activeSpan();
-      if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span)) {
-        return;
-      }
-      report(span, VulnerabilityType.NO_HTTPONLY_COOKIE, new Evidence(name));
-    }
-  }
-}
+public class NoHttpOnlyCookieModuleImpl extends SinkModuleBase implements NoHttpOnlyCookieModule {}

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/NoSameSiteCookieModuleImpl.java

@@ -0,0 +1,5 @@
+package com.datadog.iast.sink;
+
+import datadog.trace.api.iast.sink.NoSameSiteCookieModule;
+
+public class NoSameSiteCookieModuleImpl extends SinkModuleBase implements NoSameSiteCookieModule {}

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SinkModuleBase.java

@@ -149,7 +149,7 @@ protected StackTraceElement getCurrentStackTrace() {
     return stackWalker.walk(SinkModuleBase::findValidPackageForVulnerability);
   }
 
-  private static long spanId(final AgentSpan span) {
+  static long spanId(final AgentSpan span) {
     return span == null ? 0 : span.getSpanId();
   }
 

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/util/CookieSecurityDetails.java

@@ -0,0 +1,46 @@
+package com.datadog.iast.util;
+
+public class CookieSecurityDetails {
+  String cookieName;
+  boolean isSecure = false;
+  boolean isSameSiteStrict = false;
+  boolean isHttpOnly = false;
+
+  public CookieSecurityDetails() {}
+
+  public CookieSecurityDetails(
+      String cookieName, boolean isSecure, boolean isSameSiteStrict, boolean isHttpOnly) {
+    this.cookieName = cookieName;
+    this.isSecure = isSecure;
+    this.isSameSiteStrict = isSameSiteStrict;
+    this.isHttpOnly = isHttpOnly;
+  }
+
+  void addAttribute(String name, String value) {
+    if ("SECURE".equalsIgnoreCase(name) && null == value) {
+      isSecure = true;
+    }
+    if ("HTTPONLY".equalsIgnoreCase(name) && "true".equalsIgnoreCase(value)) {
+      isHttpOnly = true;
+    }
+    if ("SAMESITE".equalsIgnoreCase(name) && "strict".equalsIgnoreCase(value)) {
+      isSameSiteStrict = true;
+    }
+  }
+
+  public String getCookieName() {
+    return cookieName;
+  }
+
+  public boolean isSecure() {
+    return isSecure;
+  }
+
+  public boolean isSameSiteStrict() {
+    return isSameSiteStrict;
+  }
+
+  public boolean isHttpOnly() {
+    return isHttpOnly;
+  }
+}

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/util/CookieSecurityParser.java

@@ -0,0 +1,84 @@
+package com.datadog.iast.util;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.NoSuchElementException;
+import java.util.StringTokenizer;
+
+public class CookieSecurityParser {
+  ArrayList<CookieSecurityDetails> badCookies = new ArrayList<>();
+
+  public CookieSecurityParser(String cookieString) {
+
+    List<CookieSecurityDetails> cookies = new java.util.ArrayList<>();
+
+    List<String> cookieStrings = splitMultiCookies(cookieString);
+    for (String cookieStr : cookieStrings) {
+      CookieSecurityDetails cookie = parseInternal(cookieStr);
+      if (!cookie.isHttpOnly || !cookie.isSecure || !cookie.isSameSiteStrict) {
+        badCookies.add(cookie);
+      }
+    }
+  }
+
+  public ArrayList<CookieSecurityDetails> getBadCookies() {
+    return badCookies;
+  }
+
+  private CookieSecurityDetails parseInternal(String header) {
+    CookieSecurityDetails analyzedCookie = new CookieSecurityDetails();
+
+    StringTokenizer tokenizer = new StringTokenizer(header, ";");
+
+    // there should always have at least on name-value pair;
+    // it's cookie's name
+    try {
+      String nameValuePair = tokenizer.nextToken();
+      int index = nameValuePair.indexOf('=');
+      if (index != -1) {
+        analyzedCookie.cookieName = nameValuePair.substring(0, index).trim();
+      } else {
+        return null;
+      }
+    } catch (NoSuchElementException ignored) {
+      return null;
+    }
+
+    // remaining name-value pairs are cookie's attributes
+    while (tokenizer.hasMoreTokens()) {
+      String attribute = tokenizer.nextToken();
+      int index = attribute.indexOf('=');
+      String name, value;
+      if (index != -1) {
+        name = attribute.substring(0, index).trim();
+        value = attribute.substring(index + 1).trim();
+      } else {
+        name = attribute.trim();
+        value = null;
+      }
+      analyzedCookie.addAttribute(name, value);
+    }
+
+    return analyzedCookie;
+  }
+
+  private static List<String> splitMultiCookies(String header) {
+    List<String> cookies = new java.util.ArrayList<String>();
+    int quoteCount = 0;
+    int p, q;
+
+    for (p = 0, q = 0; p < header.length(); p++) {
+      char c = header.charAt(p);
+      if (c == '"') quoteCount++;
+      if (c == ',' && (quoteCount % 2 == 0)) {
+        // it is comma and not surrounding by double-quotes
+        cookies.add(header.substring(q, p));
+        q = p + 1;
+      }
+    }
+
+    cookies.add(header.substring(q));
+
+    return cookies;
+  }
+}

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/HttpResponseHeaderModuleTest.groovy

@@ -0,0 +1,88 @@
+package com.datadog.iast.sink
+
+import com.datadog.iast.IastModuleImplTestBase
+import com.datadog.iast.IastRequestContext
+import com.datadog.iast.model.Vulnerability
+import com.datadog.iast.model.VulnerabilityType
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.bootstrap.instrumentation.api.AgentSpan
+
+class HttpResponseHeaderModuleTest extends IastModuleImplTestBase {
+
+  private List<Object> objectHolder
+
+  private IastRequestContext ctx
+
+  private HttpResponseHeaderModuleImpl module
+
+  private AgentSpan span
+
+  def setup() {
+    InstrumentationBridge.clearIastModules()
+    module = registerDependencies(new HttpResponseHeaderModuleImpl())
+    InstrumentationBridge.registerIastModule(new InsecureCookieModuleImpl())
+    InstrumentationBridge.registerIastModule(new NoHttpOnlyCookieModuleImpl())
+    InstrumentationBridge.registerIastModule(new NoSameSiteCookieModuleImpl())
+    objectHolder = []
+    ctx = new IastRequestContext()
+    final reqCtx = Mock(RequestContext) {
+      getData(RequestContextSlot.IAST) >> ctx
+    }
+    span = Mock(AgentSpan) {
+      getSpanId() >> 123456
+      getRequestContext() >> reqCtx
+    }
+  }
+
+
+  void 'check quota is consumed correctly'() {
+    given:
+    Vulnerability savedVul1
+    Vulnerability savedVul2
+    Vulnerability savedVul3
+
+    when:
+    module.onCookie("user-id", false, false, false)
+
+    then:
+    1 * tracer.activeSpan() >> span
+    4 * span.getSpanId()
+    1 * overheadController.consumeQuota(_, _) >> true
+    1 * reporter.report(_, _ as Vulnerability) >> { savedVul1 = it[1] }
+    1 * reporter.report(_, _ as Vulnerability) >> { savedVul2 = it[1] }
+    1 * reporter.report(_, _ as Vulnerability) >> { savedVul3 = it[1] }
+    0 * _
+    with(savedVul1) {
+      type == VulnerabilityType.INSECURE_COOKIE
+      location != null
+      with(evidence) {
+        value == "user-id"
+      }
+    }
+    with(savedVul2) {
+      type == VulnerabilityType.NO_HTTPONLY_COOKIE
+      location != null
+      with(evidence) {
+        value == "user-id"
+      }
+    }
+    with(savedVul3) {
+      type == VulnerabilityType.NO_SAMESITE_COOKIE
+      location != null
+      with(evidence) {
+        value == "user-id"
+      }
+    }
+  }
+
+  void 'exercise onHeader'() {
+    when:
+    module.onHeader("Set-Cookie", "user-id=7")
+
+    then:
+    1 * tracer.activeSpan()
+    0 * _
+  }
+}