Model cookie attributes for Django and Flask

2026-04-27 17:55:19 +02:00 · 2024-07-09 23:15:16 +01:00
parent 6a7bdaf284
commit 32fbe52f0f
4 changed files with 84 additions and 10 deletions
--- a/python/ql/lib/semmle/python/frameworks/Django.qll
+++ b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -2186,6 +2186,48 @@ module PrivateDjango {
          override DataFlow::Node getValueArg() {
            result in [this.getArg(1), this.getArgByName("value")]
          }
+
+          override predicate hasSecureFlag(boolean b) {
+            super.hasSecureFlag(b)
+            or
+            exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
+              DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+              b = bool.booleanValue()
+            )
+            or
+            not exists(this.getArgByName("secure")) and
+            b = false
+          }
+
+          override predicate hasHttpOnlyFlag(boolean b) {
+            super.hasHttpOnlyFlag(b)
+            or
+            exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
+              DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+              b = bool.booleanValue()
+            )
+            or
+            not exists(this.getArgByName("httponly")) and
+            b = false
+          }
+
+          override predicate hasSameSiteFlag(boolean b) {
+            super.hasHttpOnlyFlag(b)
+            or
+            exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
+              DataFlow::localFlow(DataFlow::exprNode(str), arg) and
+              (
+                str.getText().toLowerCase() = ["strict", "lax"] and
+                b = true
+                or
+                str.getText().toLowerCase() = "none" and
+                b = false
+              )
+            )
+            or
+            not exists(this.getArgByName("samesite")) and
+            b = true // Lax is the default
+          }
        }

        /**
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -593,6 +593,48 @@ module Flask {
    override DataFlow::Node getNameArg() { result in [this.getArg(0), this.getArgByName("key")] }

    override DataFlow::Node getValueArg() { result in [this.getArg(1), this.getArgByName("value")] }
+
+    override predicate hasSecureFlag(boolean b) {
+      super.hasSecureFlag(b)
+      or
+      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
+        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+        b = bool.booleanValue()
+      )
+      or
+      not exists(this.getArgByName("secure")) and
+      b = false
+    }
+
+    override predicate hasHttpOnlyFlag(boolean b) {
+      super.hasHttpOnlyFlag(b)
+      or
+      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
+        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+        b = bool.booleanValue()
+      )
+      or
+      not exists(this.getArgByName("httponly")) and
+      b = false
+    }
+
+    override predicate hasSameSiteFlag(boolean b) {
+      super.hasHttpOnlyFlag(b)
+      or
+      exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
+        DataFlow::localFlow(DataFlow::exprNode(str), arg) and
+        (
+          str.getText().toLowerCase() = ["strict", "lax"] and
+          b = true
+          or
+          str.getText().toLowerCase() = "none" and
+          b = false
+        )
+      )
+      or
+      not exists(this.getArgByName("samesite")) and
+      b = true // Lax is the default
+    }
  }

  /**