Cookies without HttpOnly

2026-04-26 09:15:12 +02:00 · 2021-04-27 16:23:37 +03:00
parent 578ce1e512
commit 3aec9c1a41
14 changed files with 516 additions and 34 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js
@@ -0,0 +1,71 @@
+const http = require('http');
+
+function test1() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // BAD
+        res.setHeader("Set-Cookie", "auth=ninja");
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test2() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // GOOD
+        res.setHeader("Set-Cookie", "auth=ninja; HttpOnly");
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test3() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // BAD
+        res.setHeader("Set-Cookie", ["auth=ninja", "token=javascript"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test4() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // GOOD
+        res.setHeader("Set-Cookie", ["auth=ninja; HttpOnly"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test5() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // GOOD, case insensitive
+        res.setHeader("Set-Cookie", ["auth=ninja; httponly"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test6() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // BAD
+        res.setHeader("Set-Cookie", ["auth=ninja; httponly", "token=javascript"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test7() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // Good, not auth related
+        res.setHeader("Set-Cookie", ["foo=ninja", "bar=javascript"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}