hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 15:25:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix places which already dealt with both javax and jakarta

Browse Source
This commit is contained in:
Owen Mansel-Chan
2026-02-12 12:32:25 +00:00
parent 4b240ebf8a
commit 31840902cd
10 changed files with 14 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
View File

@@ -145,8 +145,7 @@ class CookieResponseWithoutHttpOnlySink extends DataFlow::ExprNode {
/** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
predicate setsHttpOnlyInNewCookie(ClassInstanceExpr cie) {
cie.getConstructedType()
.hasQualifiedName([javaxOrJakarta() + ".ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
cie.getConstructedType().hasQualifiedName(javaxOrJakarta() + ".ws.rs.core", "NewCookie") and
(
cie.getNumArgument() = 6 and
mayBeBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)