Security Fix: CWE-614 — Nil/default cookie options emit cookies without secure attributes

Summary

Vulnerability Description

SecureCookieManager.Set accepted nil or empty CookieOptions, converted nil to an empty struct, and copied zero-value cookie security attributes into http.Cookie. Library callers that omitted options could issue encrypted or signed cookies without HttpOnly, Secure, SameSite, or a stable Path default. CookieSessionManager.Update forwarded its stored options into the same sink, so nil session-manager options reached the same insecure default behavior.

Proof of Exploit

The proof harness called SecureCookieManager.Set and CookieSessionManager.Update with nil/default options. The emitted Set-Cookie headers omitted HttpOnly, Secure, SameSite, and Path. Runtime startup was intentionally disabled for this static Go library; the source-to-sink path is deterministic and was replayed with host-side Go tests.

Data Flow

Caller omits CookieOptions -> SecureCookieManager.Set receives opts == nil or an empty options struct -> zero-value cookie security attributes are copied into http.Cookie -> http.SetCookie emits the header. For sessions, NewCookieSessionManager(..., nil) -> CookieSessionManager.Update -> SecureCookieManager.Set reaches the same sink.

Changes Made

Added secure default cookie options for nil/default paths:

• Path=/
• HTTPOnly=true
• Secure=true
• SameSite=Lax

Set and Delete now apply those defaults before emitting cookies. Focused regression tests cover direct secure-cookie writes and the session-manager update path.

Before / After

Before:

if opts == nil {
	opts = &CookieOptions{}
}

cookie := http.Cookie{
	Path:     opts.Path,
	HttpOnly: opts.HTTPOnly,
	Secure:   opts.Secure,
	SameSite: opts.SameSite,
}

After:

cookieOpts := defaultCookieOptions(opts)

cookie := http.Cookie{
	Path:     cookieOpts.Path,
	HttpOnly: cookieOpts.HTTPOnly,
	Secure:   cookieOpts.Secure,
	SameSite: cookieOpts.SameSite,
}

HIPAA / PII Impact Assessment

This fix protects encrypted cookie/session values that may gate access to patient data in consuming services. It does not add logging, expose cookie contents, or touch stored PHI/PII.

Testing

• Regression test added or exact existing spec cited: go test -v ./...
• Existing tests pass
• Proof-of-exploit no longer works after fix
• No regression in authentication/authorization flows
• RuboCop/lint passes for changed Ruby files: N/A, Go library; go vet ./... passed

QA

This repository is a backend Go library/package with no browser, admin UI, or running service surface. Manual validation is local/API-level:

1. Run go test -v ./....
2. Confirm TestSecureCookieManagerSetAppliesSecureDefaults and TestCookieSessionManagerUpdateUsesSecureDefaultCookieOptions pass.
3. Inspect the generated Set-Cookie assertions in cookie_options_test.go and verify they require HttpOnly, Secure, SameSite=Lax, and Path=/.

Reviewers

Ready-for-review PRs request @doximity/security_guild_reviewers (AppSec) plus
CODEOWNERS for the changed paths. Draft PRs intentionally defer security-guild
review requests until the PR is validated and marked ready. Both must approve
before merge.

This PR was auto-generated by the security-auditor agent.
The "Agent run cost" block is appended to this description automatically after
the audit run completes.