Split test cases for insecure cookie queries

2025-12-16 16:53:25 +01:00 · 2025-09-19 14:41:02 +01:00
parent 04316d306f
commit 2e95c2b3c2
10 changed files with 68 additions and 22 deletions
--- a/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
+++ b/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
@@ -3,7 +3,7 @@
 * @description Cookies with `SameSite` set to `None` can allow for Cross-Site Request Forgery (CSRF) attacks.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.0
+ * @security-severity 3.5
 * @precision high
 * @id py/samesite-none-cookie
 * @tags security
--- a/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected
+++ b/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected
@@ -0,0 +1,7 @@
+| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:9:5:9:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:14:5:14:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
--- a/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.qlref
+++ b/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.qlref
@@ -0,0 +1,2 @@
+query: Security/CWE-1004/NonHttpOnlyCookie.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/test.py
+++ b/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/test.py
@@ -0,0 +1,18 @@
+from flask import Flask, request, make_response
+
+app = Flask(__name__)
+
+@app.route("/test")
+def test():
+    resp = make_response()
+    resp.set_cookie("key1", "value1") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", secure=True) # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", httponly=True) 
+    resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", secure=True, samesite="Strict") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") 
+    resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None") 
+    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
--- a/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected
+++ b/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected
@@ -0,0 +1,3 @@
+| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
+| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
+| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
--- a/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.qlref
+++ b/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.qlref
@@ -0,0 +1,2 @@
+query: Security/CWE-1275/SameSiteNoneCookie.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/test.py
+++ b/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/test.py
@@ -0,0 +1,18 @@
+from flask import Flask, request, make_response
+
+app = Flask(__name__)
+
+@app.route("/test")
+def test():
+    resp = make_response()
+    resp.set_cookie("key1", "value1") 
+    resp.set_cookie("key2", "value2", secure=True) 
+    resp.set_cookie("key2", "value2", httponly=True) 
+    resp.set_cookie("key2", "value2", samesite="Strict") 
+    resp.set_cookie("key2", "value2", samesite="Lax") 
+    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/samesite-none-cookie]
+    resp.set_cookie("key2", "value2", secure=True, samesite="Strict") 
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") 
+    resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/samesite-none-cookie]
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/samesite-none-cookie]
+    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
@@ -1,10 +1,7 @@
-| test.py:10:5:10:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
-| test.py:11:5:11:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:12:5:12:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:13:5:13:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
-| test.py:14:5:14:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
-| test.py:15:5:15:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure, HttpOnly, and SameSite attributes properly set. |
-| test.py:16:5:16:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:17:5:17:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:18:5:18:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly and SameSite attributes properly set. |
-| test.py:19:5:19:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure and SameSite attributes properly set. |
+| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:10:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:15:5:15:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref
@@ -1 +1,2 @@
-Security/CWE-614/InsecureCookie.ql
+query: Security/CWE-614/InsecureCookie.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
@@ -1,20 +1,18 @@
 from flask import Flask, request, make_response
-import lxml.etree
-import markupsafe

 app = Flask(__name__)

@app.route("/test")
 def test():
    resp = make_response()
-    resp.set_cookie("key1", "value1")
-    resp.set_cookie("key2", "value2", secure=True)
-    resp.set_cookie("key2", "value2", httponly=True)
-    resp.set_cookie("key2", "value2", samesite="Strict")
-    resp.set_cookie("key2", "value2", samesite="Lax")
-    resp.set_cookie("key2", "value2", samesite="None")
+    resp.set_cookie("key1", "value1") # $Alert[py/insecure-cookie]
+    resp.set_cookie("key2", "value2", secure=True) 
+    resp.set_cookie("key2", "value2", httponly=True) # $Alert[py/insecure-cookie]
+    resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/insecure-cookie]
+    resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/insecure-cookie]
+    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/insecure-cookie]
    resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
-    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") # $Alert[py/insecure-cookie]
    resp.set_cookie("key2", "value2", secure=True, samesite="None")
-    resp.set_cookie("key2", "value2", httponly=True, samesite="None")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/insecure-cookie]
    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")