hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update and fix tests

Browse Source
This commit is contained in:
Joe Farebrother
2025-09-23 15:41:09 +01:00
parent d28e8004fd
commit 2cffb21604
8 changed files with 30 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected
View File

@@ -1,7 +1,3 @@
| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:9:5:9:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:14:5:14:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:8:5:8:38 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:9:5:9:51 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
| test.py:11:5:11:57 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |

16
python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/test.py
View File

@@ -5,14 +5,8 @@ app = Flask(__name__)
@app.route("/test")
def test():
resp = make_response()
resp.set_cookie("key1", "value1") # $Alert[py/client-exposed-cookie]
resp.set_cookie("key2", "value2", secure=True) # $Alert[py/client-exposed-cookie]
resp.set_cookie("key2", "value2", httponly=True)
resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/client-exposed-cookie]
resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/client-exposed-cookie]
resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/client-exposed-cookie]
resp.set_cookie("key2", "value2", secure=True, samesite="Strict") # $Alert[py/client-exposed-cookie]
resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/client-exposed-cookie]
resp.set_cookie("key2", "value2", httponly=True, samesite="None")
resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
resp.set_cookie("oauth", "value1") # $Alert[py/client-exposed-cookie]
resp.set_cookie("oauth", "value2", secure=True) # $Alert[py/client-exposed-cookie]
resp.set_cookie("oauth", "value2", httponly=True)
resp.set_cookie("oauth", "value2", samesite="Strict") # $Alert[py/client-exposed-cookie]
resp.set_cookie("oauth", "value2", httponly=True, samesite="None")

5
python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected
View File

@@ -1,3 +1,2 @@
| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
| test.py:10:5:10:60 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
| test.py:13:5:13:78 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |

21
python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/test.py
View File

@@ -3,16 +3,13 @@ from flask import Flask, request, make_response
app = Flask(__name__)
@app.route("/test")
def test():
def test(oauth_cookie_name):
resp = make_response()
resp.set_cookie("key1", "value1")
resp.set_cookie("key2", "value2", secure=True)
resp.set_cookie("key2", "value2", httponly=True)
resp.set_cookie("key2", "value2", samesite="Strict")
resp.set_cookie("key2", "value2", samesite="Lax")
resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/samesite-none-cookie]
resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/samesite-none-cookie]
resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/samesite-none-cookie]
resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
resp.set_cookie("password", "value1")
resp.set_cookie("authKey", "value2", samesite="Lax")
resp.set_cookie("session_id", "value2", samesite="None") # $Alert[py/samesite-none-cookie]
resp.set_cookie("oauth", "value2", secure=True, samesite="Strict")
resp.set_cookie("oauth", "value2", httponly=True, samesite="Strict")
resp.set_cookie(oauth_cookie_name, "value2", secure=True, samesite="None") # $Alert[py/samesite-none-cookie]
resp.set_cookie("not_sensitive", "value2", samesite="None")