rastray 0.15.0

Blazing-fast static analysis CLI for security, dependency, and performance audits.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

# RSTR-COOKIE-003 — `sameSite: 'none'` cookie

## Summary

A cookie is configured with `sameSite: 'none'`. Browsers will send
this cookie on every cross-site request, which means the cookie is
attached to requests originating from third-party pages — the exact
condition that CSRF exploits.

Two failure modes:

1. **Without `secure: true`** — modern browsers reject the combination
   outright; the cookie is silently dropped and the app breaks.
2. **With `secure: true`** — the cookie is sent cross-site, opening a
   CSRF surface that `sameSite: 'lax'` (the default) would have
   blocked for state-changing requests.

## Severity

`Medium`. Only set `sameSite: 'none'` when third-party embedding is
a hard requirement (federated SSO, embedded checkout widgets, etc.).

## Languages

JavaScript, TypeScript.

## What rastray flags

Cookie options with `sameSite: 'none'`:

```js
res.cookie('sid', token, { sameSite: 'none' });      // ← flagged

app.use(session({
  cookie: { sameSite: 'none', secure: true },        // ← flagged
}));
```

## What rastray deliberately does *not* flag

- `sameSite: 'lax'` (the browser default) or `sameSite: 'strict'`.
- Cookies with no `sameSite` field set explicitly.

## How to fix it

Prefer the strictest value that still lets the application work:

```js
res.cookie('sid', token, {
  sameSite: 'strict',   // safest; cookie never leaves first-party context
  secure: true,
  httpOnly: true,
});
```

`'lax'` is acceptable when top-level cross-site navigations need the
cookie (the common case for OAuth callbacks and login redirects).

If `'none'` is genuinely required (third-party iframe scenario), pair
it with `secure: true` **and** ensure every state-changing endpoint
has its own anti-CSRF mechanism (synchronizer token, double-submit
cookie). Suppress with an explanatory comment:

```js
// rastray-ignore: RSTR-COOKIE-003 — required for embedded checkout iframe; CSRF
//                  protected by per-request token in the X-CSRF-Token header
res.cookie('sid', token, { sameSite: 'none', secure: true, httpOnly: true });
```

## References

- [MDN: SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute)
- [OWASP CSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
- [Chrome SameSite enforcement](https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html)