Found `self` identifier where `Self` was expectedRS-E1001Found invalid regexRS-E1002Found empty range expressionRS-E1005Found explicit self-assignmentRS-W1013Called `unwrap` on `option_env!` macroRS-W1016Found builtin-type shadowRS-W1028Found possibly mistyped suffixRS-E1009Found similar pattern and replacement in `str::replace`RS-W1094Found potentially incorrect use of `map`RS-W1089Unnecessary iteration to determine length of collectionRS-W1093Possibly missing comma in array expressionRS-W1121Found non UTF-8 literal in `str::from_utf8_unchecked`RS-W1122Found use of deprecated functionRS-W1128Found assertion on boolean constantRS-W1021Unneeded wildcard patternRS-C1004Usage of `print!` macro with newlineRS-C1005Found unneeded field patternRS-C1010This match statement can be collapsed into an if-let statementRS-W1006This match statement can be collapsed into an if-else statementRS-W1007Found if block with identical else blockRS-W1008Found consecutive if expressions with the same conditionRS-W1009Found useless if blockRS-W1010Found `map` with identity functionRS-W1018Found unnecessary `fold`RS-W1022Usage of `fs::create_dir`RS-W1032Extending string with another using `chars`RS-W1095Found incorrect usage of `#[inline]` attributeRS-E1006Found occurrence of `.bytes().count()`RS-P1001Found occurrence of `.skip(..).next()`RS-W1036Array-expression or type initialized with zero lengthRS-W1096Found usage of `split` to check for presence of patternRS-W1097Found redundant unsafe operation: `libc::strlen`RS-W1098Found manual implementation of a `char::is_ascii_*` methodRS-W1099Found obfuscated if-else expressionRS-W1120Syntax ErrorRS-E1000File or directory created with insecure permissionsRS-A1001Audit required: Sensitive cookie without `HttpOnly` attributeRS-A1003Audit required: Sensitive cookie without `secure` attributeRS-A1002Found occurrence of `.step_by(0)`RS-E1003Iterating over `Option` typeRS-E1004Found erasing operationRS-E1007Detected non-octal Unix permissionsRS-E1013Found non-binding `let` on a synchronization lockRS-E1014Attempting to hash a unit valueRS-E1017Setting global write permission on fileRS-S1016Attempting to `transmute` a `ptr` to a `ref`RS-E1018Attempting to `transmute` a `ref` to a `ptr`RS-E1019Attempting to `transmute` a `ptr` to a `ptr` when `ref` transmute is saferRS-E1020Audit required: Found vulnerable content security policy header in HTTP responseRS-A1011Found `.clone()` call on a double referenceRS-W1100Manual implementation of `Error::type_id`RS-S1001Found string literal in `env` functionsRS-W1015Detected conversion between differently sized raw slicesRS-S1013Insufficient RSA key sizeRS-S1005Missing regex anchorRS-S1008Hardcoded temporary file or directory detectedRS-S1003Found usage of cryptographically insecure algorithmRS-S1004Found comparison with `NaN`RS-E1012Found potentially incorrect use of bitwise XORRS-S1007Potentially unsafe usage of `std::fs::remove_dir_all`RS-S1002Detected conversion of `*const` to `*mut`RS-S1011Detected conversion of raw slice to `ptr`RS-S1012Called `mem::forget` or `mem::drop` on a referenceRS-E1010Called `mem::forget` or `mem::drop` on a Copy typeRS-E1011Audit required: Use of `VecDeque::make_contiguous`RS-A1005Audit required: Exposure of sensitive headersRS-A1004Audit required: Use of `Vec::from_iter`RS-A1006Detected invisible unicode characterRS-S1010Comparing unit valuesRS-E1016Found potentially incomplete ASCII rangeRS-W1086Found manual approximation of known floating constantRS-W1207Found binary operation with identical left and right hand sidesRS-E1008Passing unit value as argument to functionRS-E1015Found single-character string literal patternRS-P1100Bind to all interfacesRS-S1006Unused `.enumerate()` or `.zip(..)` itemsRS-W1039Found usage of `crate` in macro definitionRS-W1084Found inaccurate duration calculationRS-W1087Needless iteration over collection that allows indexingRS-W1091Using ordered iteration methods on arbitrarily ordered iteratorRS-W1081Found redundant use of `mem::replace`RS-W1113Redirect to destination from possibly tainted sourceRS-S1009Usage of DoS vulnerable version of `regex` crateRS-S1015Comparing function pointer to `null`RS-W1115Found redundant use of `mem::replace`RS-W1112Found redundant use of `mem::replace`RS-W1114Called `mem::forget` or `mem::drop` on a non-Drop typeRS-E1021Found I/O operation with unhandled return valueRS-E1023Potential path traversal vulnerability due to `actix::NamedFile::open(..)`RS-S1014Found isize/usize enumeration with overflowing valueRS-W1075Insertion of pointer to non-owned reference counted value into vectorRS-W1106Audit required: Found `X-XSS-Protection` header in HTTP responseRS-A1010Cast from function pointer to non-pointer typeRS-W1124Found transmute between a type `T` and `*T` or `&T`RS-E1024Audit required: Function call in `default()` that returns `Self`RS-A1008Found explicitly ignored future valueRS-E1035Audit required: Calling `extend()` on `HashMap`RS-A1009Audit required: Use of large `enum` variantRS-A1007Found transmute between an integer and a `bool`RS-E1025Found transmute between an integer and `NonZero` typeRS-E1026Found transmute between integer literal and `fn` ptrRS-E1027Found transmute between a literal and a `*T` ptrRS-E1028Transmute from `float` or `char` to reference or pointerRS-E1029Transmute from integer type to `char`RS-E1030Found transmute between a numeric type and array or sliceRS-E1031Found transmute between tuple and array or sliceRS-E1032Found `print!` in implementation of `Display`RS-E1034Using `std::mem::size_of_val()` on reference of type rather than type itselfRS-W1123Function with cyclomatic complexity higher than thresholdRS-R1000Found duplicate underscore argumentsRS-W1014Comparing with `""` or `[]` when `.is_empty()` could be usedRS-W1102Found redundant wildcard patternsRS-W1213Found error-prone cast to `u8`RS-W1080Found unnecessary boolean comparisonRS-W1001Potentially unsafe usage of `Arc::get_mut`RS-S1000Use of `FIXME`/`XXX`/`TODO`RS-D1000Unnecessary double parenthesesRS-C1000Found enum variants with similar prefixes or suffixesRS-C1003Empty format string in macro callRS-C1006Found hexadecimal literal with mixed-case letter digitsRS-C1007Found block expression in `if` conditionRS-C1008Matching over booleanRS-C1011Found zero-prefixed literalRS-C1012Found `dbg!` macroRS-C1013Found `#[must_use]` on a unit-returning functionRS-W1011Found empty loop expressionRS-P1000Found double unary negationRS-W1002Found exclusive range where 1 is added to the upper boundRS-W1003Found inclusive range where 1 is subtracted from the upper boundRS-W1004Found trivial or undefined modulus operationRS-W1005Zipping iterator with a range when `enumerate()` would doRS-W1012Found no-op macro callRS-W1017Found `filter_map` with identity functionRS-W1019Found `flat_map` with identity functionRS-W1020Found boolean assert comparisonRS-W1024Dereference of an address is a no-opRS-W1025Found redundant field name in initializerRS-W1026Found trivial regexRS-W1027Found redundant pattern matchingRS-W1029Usage of `expect` followed by a function callRS-W1030Usage of `unwrap_or` followed by a function callRS-W1031Found iterator or string search followed by `is_some` or `is_none`RS-W1033Found occurrence of `Arc<RwLock<HashMap<K, V>>>`RS-P1003Found manual implementation of `Seek::rewind`RS-W1046Found occurrence of `Rc::new("..")`RS-W1062Found usage of `FileType::is_file`RS-A1000Found manual implementation of `find_map`RS-W1210Found `todo!` macroRS-W1065Found unnecessary chain of `map` and `unwrap_or`RS-W1072Found occurrence of `.bytes().nth(..)`RS-P1002Adding single-character string literalRS-P1004Found call to `.trim()` followed by `.split_whitespace()`RS-P1005Unnecessary `collect()` on iterable to `Vec`RS-P1006Found collapsible `.replace(..)` method callsRS-P1007Found redundant static lifetimeRS-W1034Found occurrence of `.inspect(..).for_each(..)`RS-W1035Found wildcard in an or-patternRS-W1037Found usage of `.is_digit(..)` with known radixRS-W1038Found occurrence of `.skip_while(..).next()`RS-W1040Found character comparison using `.chars().last()`RS-W1041Found character comparison using `.chars().next()`RS-W1042Found occurrence of `.to_digit(..).is_some()`RS-W1043Found redundant conversion from `Result::Ok` to `Option`RS-W1044Found manual implementation of `Instant::elapsed`RS-W1045Found potentially ambiguous use of `.splitn(..)`RS-W1047Found occurrence of `.chars().filter(..)`RS-W1049Found occurrence of `&Box<T>` or `&mut Box<T>`RS-W1050Found occurrence of `Default::default()`RS-W1051Found use of `as` to convert literalsRS-W1052Found occurrence of `.nth(0)`RS-W1053Found suspicious loop over a fallibleRS-W1054Found manual implementation of `Result::is_ok`RS-W1055Found occurrence of `Arc<RefCell>` or `Arc<Cell<T>>`RS-W1056Found occurrence of `Arc<Box<T>>`RS-W1057Found occurrence of `Box::new("..")`RS-W1058Found occurrence of `Box<&str>`RS-W1059Found occurrence of `Box<String>`RS-W1060Found occurrence of `Box<Vec<T>>`RS-W1061Found occurrence of `Rc<&str>`RS-W1063Found occurrence of `Rc<String>`RS-W1064Found manual implementation of `.split_once(..)`RS-W1066Found possibly misused `.splitn(..)`RS-W1067Found redundant conversion from `Result::Err` to `Option`RS-W1071Found `fold` over `Option`RS-W1085Found manual implementation of `slice::last`RS-W1088Found unnecessary `.ok()` in pattern matchRS-W1090Manual implementation of `unwrap_or`RS-W1092Found `unwrap_or_else(..)` where `unwrap_or_default()` would sufficeRS-W1104Found occurrence of `vec.resize(0, ..)`RS-W1107Construction of Iterator from single-element collectionRS-W1200Invoking `.map_or()` with identity closureRS-W1201Found unnecessary closureRS-W1202Using `.join(..)` with empty stringRS-W1203Redundant `map(..).filter_map(..)` chainRS-W1204Manual implementation of `try_from_each`RS-W1205Found explicit closure for cloning elementsRS-W1206Found usage of `.repeat(1)`RS-W1208Found redundant `if-else`RS-W1209Redundant `and_then` over `map`RS-W1211Found redundant call to `.count_ones()`RS-W1212Found manual implementation of `cycle`RS-W1215Found `bool::then` returning a literalRS-W1216Found potentially buggy split of string into linesRS-W1217Found redundant `take_while` with `map` callRS-W1214Found manual implementation of `Seek::stream_position`RS-W1082Found needless `Option::take`RS-W1083Found use of `.clone()` in assignmentRS-W1070Found usage of `Box::new(T::default())`RS-P1008Consider using `.clamp(min, max)`, instead of `.max(min).min(max)` or `.min(max).max(min)`RS-W1069Found comparison with `None`RS-W1108Found manual implementation of `stream_position(..)`RS-W1109Found implementation of `default()` outside `Default` traitRS-E1022Found manual implementation of `std::ptr::null()`RS-W1078Found useless lint attributeRS-W1074Found pointer comparison with `ptr::null()`RS-C1014Found nested `format!` macro in a formatting macroRS-W1068Found const declaration of atomic typeRS-W1076Found `while` with constant conditionRS-W1077Empty call to `new()`RS-W1079Found `ref` keyword with `&` referenceRS-W1105Found call to `clone()` on type that implements CopyRS-W1110Found trivial implementation of `default()`RS-W1111Found redundant let-bindingRS-W1218Found redundant `match` over `std::cmp::Ordering`RS-W1219Found redundant `lock()` on `std::io::stdin()`RS-W1220Found empty tuple struct or tuple variantRS-W1125Found usage of `then_some(..).unwrap_or(..)`RS-C1015Undocumented public item in source codeRS-D1001Unnecessary `OnceCell` wrapper around `Mutex`RS-W1135Found manual implementation of `retain()`RS-P1009Found manual implementation of `T::BITS`RS-W1132Found manual implementation of `vec.first()`RS-W1116Found `print!` in implementation of `Debug`RS-W1133Found redundant transmute between the type `T` and `T`RS-W1117Found redundant type annotationRS-C1016Found use of `std::ffi::c_void` ptr in `from_raw`RS-W1118Found manual implementation of `std::ptr::eq` on referencesRS-W1119Found transmute from floating point type to integer typeRS-W1126Found transmute from integer type to floating point typeRS-W1127Found explicitly ignored unit valueRS-W1129Found unnecessary destructure in assignmentRS-W1130Found occurrence of `.filter(..).next()`RS-W1023Found cast of `abs()` to unsigned integer typeRS-W1131Found manual implementation of `eq()` on `OsString`RS-W1134Unnecessary parenthesesRS-C1001Unnecessary braces in `use` statementRS-C1002Found redundant patternRS-W1000
Rust logoRust/
RS-A1002

Audit required: Sensitive cookie without `secure` attributeRS-A1002

Critical severityCritical
Security categorySecurity
a02, cwe-614, cwe-315, cwe-314, owasp-top-10

Cookies set without the secure flag can cause the user agent to send those cookies in plaintext over an HTTP session with the same server. This can lead to man-in-the-middle attacks.

In past it has led to the following vulnerabilities:

Generally, the production sites redirect any requests that are sent over HTTP to the same URL but on HTTPS. In this case, make sure that these HTTP requests that are immediately redirected to HTTPS do not carry any cookie that contains sensitive information. The secure flag limits cookies to HTTPS traffic only so, the browser will never send secure cookies with requests that are not encrypted.

Bad practice

use cookie::Cookie;

let mut c = Cookie::new("data", "sensitive value")
c.set_secure(false);

use cookie::Cookie;

let mut c = Cookie::new("data", "sensitive value")
c.set_secure(true);

References

Exceptions

While this issue mostly makes sense if you're setting a sensitive cookie, DeepSource will flag all the cookies encountered without the secure flag. This is to ensure that every cookie is audited carefully.