prepare move to non-experimental

2026-04-30 11:15:13 +02:00 · 2021-10-04 22:41:48 +02:00
parent 44db920f10
commit 26a24a3895
3 changed files with 46 additions and 8 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/CookieLibraries.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/CookieLibraries.qll
@@ -4,6 +4,31 @@

 import javascript

+/**
+ * Classes and predicates for reasoning about writes to cookies.
+ */
+module CookieWrites {
+  /**
+   * A write to a cookie.
+   */
+  abstract class CookieWrite extends DataFlow::Node {
+    /**
+     * Holds if this cookie is secure, i.e. only transmitted over SSL.
+     */
+    abstract predicate isSecure();
+
+    /**
+     * Holds if this cookie is HttpOnly, i.e. not accessible by JavaScript.
+     */
+    abstract predicate isHttpOnly();
+
+    /**
+     * Holds if the cookie is likely an authentication cookie or otherwise sensitive.
+     */
+    abstract predicate isSensitive();
+  }
+}
+
 /**
 * A model of the `js-cookie` library (https://github.com/js-cookie/js-cookie).
 */
@@ -26,6 +51,7 @@ private module JsCookie {
  }

  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    // TODO: CookieWrite
    WriteAccess() { this = libMemberCall("set") }

    string getKey() { getArgument(0).mayHaveStringValue(result) }
@@ -54,6 +80,7 @@ private module BrowserCookies {
  }

  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    // TODO: CookieWrite
    WriteAccess() { this = libMemberCall("set") }

    string getKey() { getArgument(0).mayHaveStringValue(result) }
@@ -82,6 +109,7 @@ private module LibCookie {
  }

  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    // TODO: CookieWrite
    WriteAccess() { this = libMemberCall("serialize") }

    string getKey() { getArgument(0).mayHaveStringValue(result) }
--- a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
@@ -13,8 +13,15 @@
 */

 import javascript
-import experimental.semmle.javascript.security.InsecureCookie::Cookie
+import experimental.semmle.javascript.security.InsecureCookie::Cookie as ExperimentalCookie

-from CookieWrite cookie
-where cookie.isSensitive() and not cookie.isHttpOnly()
-select cookie, "Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie."
+from DataFlow::Node node
+where
+  exists(ExperimentalCookie::CookieWrite cookie | cookie = node |
+    cookie.isSensitive() and not cookie.isHttpOnly()
+  )
+  or
+  exists(CookieWrites::CookieWrite cookie | cookie = node |
+    cookie.isSensitive() and not cookie.isHttpOnly()
+  )
+select node, "Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie."
--- a/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
+++ b/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
@@ -11,8 +11,11 @@
 */

 import javascript
-import experimental.semmle.javascript.security.InsecureCookie::Cookie
+import experimental.semmle.javascript.security.InsecureCookie::Cookie as ExperimentalCookie

-from CookieWrite cookie
-where not cookie.isSecure()
-select cookie, "Cookie is added to response without the 'secure' flag being set to true"
+from DataFlow::Node node
+where
+  exists(ExperimentalCookie::CookieWrite cookie | cookie = node | not cookie.isSecure())
+  or
+  exists(CookieWrites::CookieWrite cookie | cookie = node | not cookie.isSecure())
+select node, "Cookie is added to response without the 'secure' flag being set to true"