assume that setting the secure/httpOnly flag to some unknown value is good

2026-05-05 13:45:19 +02:00 · 2021-10-12 13:26:18 +02:00
parent 5228196f79
commit 038438edca
2 changed files with 33 additions and 8 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-614/tst-cleartextCookie.js
+++ b/javascript/ql/test/query-tests/Security/CWE-614/tst-cleartextCookie.js
@@ -196,3 +196,18 @@ http.createServer((req, res) => {
    res.writeHead(200, { 'Content-Type': 'text/plain' });
    res.end('ok');
 });
+
+(function mightBeSecures() {
+    const express = require('express')
+    const app = express()
+    const session = require('express-session')
+
+    app.use(session({
+      secret: config.sessionSecret,
+      cookie: {
+        httpOnly: config.sessionCookie.httpOnly,
+        secure: config.sessionCookie.secure && config.secure.ssl
+      },
+      name: config.sessionKey
+    }));
+})();