Merge pull request #940 from AzureAD/akaliugonna/codeqlIssues

Avery-Dunn · web-flow · commit 54f3d44e13e2 · 2025-04-16T08:27:06.000-07:00
Address codeql alerts
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java
@@ -29,7 +29,6 @@
  */
 class DefaultHttpClientManagedIdentity extends DefaultHttpClient {
 
-    // CodeQL [SM03767] False positive: in addTrustedCertificateThumbprint() we create a TrustManager that only trusts a certificate with a specific thumbprint.
     public static final HostnameVerifier ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER = new HostnameVerifier() {
         @SuppressWarnings("BadHostnameVerifier")
         @Override
@@ -85,6 +84,8 @@ public static void addTrustedCertificateThumbprint(HttpsURLConnection httpsUrlCo
                                                        String certificateThumbprint) {
         //We expect the connection to work against a specific server side certificate only, so it's safe to disable the
         // host name verification.
+
+        // CodeQL [SM03767] False positive: the TrustManager created later on will only trust a certificate with a specific thumbprint.
         if (httpsUrlConnection.getHostnameVerifier() != ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER) {
             httpsUrlConnection.setHostnameVerifier(ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER);
         }
diff --git a/msal4j-sdk/src/samples/msal-b2c-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java b/msal4j-sdk/src/samples/msal-b2c-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java
@@ -31,6 +31,7 @@ static void removeStateNonceCookies(HttpServletResponse httpResponse){
 
         Cookie stateCookie = new Cookie(MSAL_WEB_APP_STATE_COOKIE, "");
         stateCookie.setMaxAge(0);
+        stateCookie.setSecure(true);
 
         httpResponse.addCookie(stateCookie);
 
diff --git a/msal4j-sdk/src/samples/msal-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java b/msal4j-sdk/src/samples/msal-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java
@@ -31,6 +31,7 @@ static void removeStateNonceCookies(HttpServletResponse httpResponse){
 
         Cookie stateCookie = new Cookie(MSAL_WEB_APP_STATE_COOKIE, "");
         stateCookie.setMaxAge(0);
+        stateCookie.setSecure(true);
 
         httpResponse.addCookie(stateCookie);
 
