Polish tests

2026-04-29 02:35:15 +02:00 · 2021-10-28 09:24:47 +02:00
parent 48c3c3d8a8
commit 0f2b81e0d2
4 changed files with 14 additions and 16 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py
@@ -3,11 +3,13 @@ import django.http

 def django_response(request):
    resp = django.http.HttpResponse()
-    resp.set_cookie("name", "value", secure=None)
+    resp.set_cookie("name", "value", secure=False,
+                    httponly=False, samesite='None')
    return resp


 def django_response(request):
    resp = django.http.HttpResponse()
-    resp.set_cookie("name", "value", secure=False)
+    resp.set_cookie("name", "value", secure=False,
+                    httponly=False, samesite='None')
    return resp
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/django_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/django_good.py
@@ -3,13 +3,14 @@ import django.http

 def django_response(request):
    resp = django.http.HttpResponse()
-    resp['Set-Cookie'] = "name=value; Secure;"
+    resp['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Lax;"
    return resp


 def django_response(request):
    resp = django.http.HttpResponse()
-    resp.set_cookie("name", "value", secure=True)
+    resp.set_cookie("name", "value", secure=True,
+                    httponly=True, samesite='Lax')
    return resp


--- a/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py
@@ -6,14 +6,8 @@ app = Flask(__name__)
@app.route("/false")
 def false():
    resp = make_response()
-    resp.set_cookie("name", value="value", secure=False)
-    return resp
-
-
-@app.route("/none")
-def none():
-    resp = make_response()
-    resp.set_cookie("name", value="value", secure=None)
+    resp.set_cookie("name", value="value", secure=False,
+                    httponly=False, samesite='None')
    return resp


@@ -27,7 +21,7 @@ def flask_Response():
@app.route("/flask_make_response")
 def flask_make_response():
    resp = make_response("hello")
-    resp.headers['Set-Cookie'] = "name=value;"
+    resp.headers['Set-Cookie'] = "name=value; SameSite=None;"
    return resp

 # if __name__ == "__main__":
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py
@@ -6,21 +6,22 @@ app = Flask(__name__)
@app.route("/true")
 def true():
    resp = make_response()
-    resp.set_cookie("name", value="value", secure=True)
+    resp.set_cookie("name", value="value", secure=True,
+                    httponly=True, samesite='Lax')
    return resp


@app.route("/flask_Response")
 def flask_Response():
    resp = Response()
-    resp.headers['Set-Cookie'] = "name=value; Secure;"
+    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Lax;"
    return resp


@app.route("/flask_make_response")
 def flask_make_response():
    resp = make_response("hello")
-    resp.headers['Set-Cookie'] = "name=value; Secure;"
+    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Lax;"
    return resp