[FIX] False positive for insecure cookie attack in case of secure com…

…munication (#115)
newrelic · Nov 23, 2023 · 258949e · 258949e
1 parent 6fe3afd
commit 258949e
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/...ity/servlet-2.4/src/main/java/javax/servlet/http/HttpServletResponse_Instrumentation.java b/...ity/servlet-2.4/src/main/java/javax/servlet/http/HttpServletResponse_Instrumentation.java
@@ -43,7 +43,8 @@ private AbstractOperation preprocessSecurityHook(Cookie cookie, String className
                 return null;
             }
 
-            SecureCookieOperation operation = new SecureCookieOperation(Boolean.toString(cookie.getSecure()), className, methodName);
+            boolean isSecure = "https".equals(securityMetaData.getRequest().getProtocol()) || cookie.getSecure();
+            SecureCookieOperation operation = new SecureCookieOperation(Boolean.toString(isSecure), className, methodName);
             operation.setLowSeverityHook(true);
             NewRelicSecurity.getAgent().registerOperation(operation);
 

diff --git a/...y/servlet-5.0/src/main/java/jakarta/servlet/http/HttpServletResponse_Instrumentation.java b/...y/servlet-5.0/src/main/java/jakarta/servlet/http/HttpServletResponse_Instrumentation.java
@@ -43,7 +43,8 @@ private AbstractOperation preprocessSecurityHook(Cookie cookie, String className
                 return null;
             }
 
-            SecureCookieOperation operation = new SecureCookieOperation(Boolean.toString(cookie.getSecure()), className, methodName);
+            boolean isSecure = "https".equals(securityMetaData.getRequest().getProtocol()) || cookie.getSecure();
+            SecureCookieOperation operation = new SecureCookieOperation(Boolean.toString(isSecure), className, methodName);
             operation.setLowSeverityHook(true);
             NewRelicSecurity.getAgent().registerOperation(operation);
 

diff --git a/...y/servlet-6.0/src/main/java/jakarta/servlet/http/HttpServletResponse_Instrumentation.java b/...y/servlet-6.0/src/main/java/jakarta/servlet/http/HttpServletResponse_Instrumentation.java
@@ -43,7 +43,8 @@ private AbstractOperation preprocessSecurityHook(Cookie cookie, String className
                 return null;
             }
 
-            SecureCookieOperation operation = new SecureCookieOperation(Boolean.toString(cookie.getSecure()), className, methodName);
+            boolean isSecure = "https".equals(securityMetaData.getRequest().getProtocol()) || cookie.getSecure();
+            SecureCookieOperation operation = new SecureCookieOperation(Boolean.toString(isSecure), className, methodName);
             operation.setLowSeverityHook(true);
             NewRelicSecurity.getAgent().registerOperation(operation);