Bearer · cfabianski · Jan 5, 2023 · Jan 3, 2023
diff --git a/integration/custom_detectors/.snapshots/TestCustomDetectors-detect_rails_cookies b/integration/custom_detectors/.snapshots/TestCustomDetectors-detect_rails_cookies
@@ -25,6 +25,12 @@ data_types:
               line_number: 3
             - filename: integration/custom_detectors/testdata/ruby/detect_rails_cookies.rb
               line_number: 12
+    - name: Unique Identifier
+      detectors:
+        - name: ruby
+          locations:
+            - filename: integration/custom_detectors/testdata/ruby/detect_rails_cookies.rb
+              line_number: 9
     - name: Username
       detectors:
         - name: ruby
@@ -42,6 +48,14 @@ risks:
               parent:
                 line_number: 2
                 content: cookies.signed[:info] = user.email
+        - name: Unique Identifier
+          stored: false
+          locations:
+            - filename: integration/custom_detectors/testdata/ruby/detect_rails_cookies.rb
+              line_number: 9
+              parent:
+                line_number: 9
+                content: cookies.permanent[:user_id] = current_user.user_id
 components: []
 
 

diff --git a/integration/custom_detectors/.snapshots/TestCustomDetectors-detect_rails_session b/integration/custom_detectors/.snapshots/TestCustomDetectors-detect_rails_session
@@ -5,6 +5,12 @@ data_types:
           locations:
             - filename: integration/custom_detectors/testdata/ruby/detect_rails_session.rb
               line_number: 2
+    - name: Unique Identifier
+      detectors:
+        - name: ruby
+          locations:
+            - filename: integration/custom_detectors/testdata/ruby/detect_rails_session.rb
+              line_number: 3
     - name: Username
       detectors:
         - name: ruby
@@ -22,6 +28,14 @@ risks:
               parent:
                 line_number: 2
                 content: session[:current_user] = user.email
+        - name: Unique Identifier
+          stored: false
+          locations:
+            - filename: integration/custom_detectors/testdata/ruby/detect_rails_session.rb
+              line_number: 3
+              parent:
+                line_number: 3
+                content: session[:user_id] = current_user.user_id
 components: []
 
 

diff --git a/integration/custom_detectors/testdata/ruby/detect_rails_cookies.rb b/integration/custom_detectors/testdata/ruby/detect_rails_cookies.rb
@@ -6,7 +6,7 @@
 	last_name: "Doe"
 }
 cookies[:login] = { value: user_1.to_json, expires: 1.hour, secure: true }
-
+cookies.permanent[:user_id] = current_user.user_id
 
 # Not detected
 cookies.permanent.encrypted[:secret] = user.address

diff --git a/integration/custom_detectors/testdata/ruby/detect_rails_session.rb b/integration/custom_detectors/testdata/ruby/detect_rails_session.rb
@@ -1,2 +1,3 @@
 session[:user_name] = "mish bear"
-session[:current_user] = user.email
+session[:current_user] = user.email
+session[:user_id] = current_user.user_id
diff --git a/integration/policies/.snapshots/TestPolicies-ruby_cookies_leaking b/integration/policies/.snapshots/TestPolicies-ruby_cookies_leaking
@@ -0,0 +1,15 @@
+high:
+    - policy_name: Do not store sensitive data in cookies.
+      policy_display_id: CR-002
+      policy_description: Storing sensitive data in cookies can lead to a data breach. This policy looks for instances where sensitive data is stored in browser cookies.
+      line_number: 2
+      filename: integration/policies/testdata/ruby/cookies_leaking.rb
+      category_groups:
+        - PII
+      parent_line_number: 2
+      parent_content: cookies.signed[:info] = user.email
+      omit_parent: false
+
+
+--
+
diff --git a/integration/policies/.snapshots/TestPolicies-ruby_session_leaking b/integration/policies/.snapshots/TestPolicies-ruby_session_leaking
@@ -0,0 +1,15 @@
+high:
+    - policy_name: Do not store sensitive data in session cookies.
+      policy_display_id: CR-003
+      policy_description: Sensitive data should not be stored in session cookies. This policy looks for any sensitive data stored within the session cookies.
+      line_number: 2
+      filename: integration/policies/testdata/ruby/session_leaking.rb
+      category_groups:
+        - PII
+      parent_line_number: 2
+      parent_content: session[:current_user] = user.email
+      omit_parent: false
+
+
+--
+
diff --git a/integration/policies/policies_test.go b/integration/policies/policies_test.go
@@ -43,6 +43,8 @@ func TestPolicies(t *testing.T) {
 		newPolicyTest("application_level_encryption_missing_schema_rb", []string{"ruby/application_level_encryption_missing/schema_rb"}, false),
 		newPolicyTest("ruby_weak_password_encryption", []string{"ruby/weak_password_encryption.rb"}, false),
 		newPolicyTest("ruby_jwt_leaking", []string{"ruby/jwt_leaking.rb"}, false),
+		newPolicyTest("ruby_session_leaking", []string{"ruby/session_leaking.rb"}, false),
+		newPolicyTest("ruby_cookies_leaking", []string{"ruby/cookies_leaking.rb"}, false),
 	}
 
 	testhelper.RunTests(t, tests)

diff --git a/integration/policies/testdata/ruby/cookies_leaking.rb b/integration/policies/testdata/ruby/cookies_leaking.rb
@@ -0,0 +1,21 @@
+# Detected
+cookies.signed[:info] = user.email
+cookies.permanent.encrypted[:secret] = user.address
+user_1 = {
+  first_name: "John",
+  last_name: "Doe"
+}
+cookies[:login] = { value: user_1.to_json, expires: 1.hour, secure: true }
+cookies.permanent[:user_id] = current_user.user_id
+
+# Not detected
+cookies[:user_name] = "david"
+cookies.signed[:user_email] = "mish@bearer.sh"
+cookies.encrypted[:full_name] = "John Doe"
+cookies.permanent[:first_name] = "John"
+cookies[:lat_lon] = JSON.generate([47.68, -122.37])
+cookies.signed.permanent[:user] = JSON.generate({first_name: "John", last_name: "Doe"})
+cookies.signed.permanent[:user] = {
+  first_name: "John",
+  last_name: "Doe"
+}.to_json
diff --git a/integration/policies/testdata/ruby/session_leaking.rb b/integration/policies/testdata/ruby/session_leaking.rb
@@ -0,0 +1,3 @@
+session[:user_name] = "mish bear"
+session[:current_user] = user.email
+session[:user_id] = current_user.user_id
diff --git a/pkg/commands/process/settings/policies/leakage.rego b/pkg/commands/process/settings/policies/leakage.rego
@@ -9,6 +9,7 @@ policy_failure contains item if {
     detector.detector_id == input.policy_id
 
     data_type = detector.data_types[_]
+    data_type.name != "Unique Identifier"
 
     location = data_type.locations[_]
     item := {