hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Comments

Browse Source
This commit is contained in:
edvraa
2021-05-11 12:49:33 +03:00
committed by Owen Mansel-Chan
parent 0b9959e4ef
commit 5349c98ae1
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
View File

@@ -16,6 +16,7 @@ import go
import AuthCookie
import DataFlow::PathGraph
/** Holds if `HttpOnly` of `net/http.SetCookie` is set to `false` or not set (default value is used). */
predicate isNetHttpCookieFlow(DataFlow::PathNode source, DataFlow::PathNode sink) {
exists(DataFlow::PathNode cookieCreate, DataFlow::PathNode setCookieSink |
exists(NetHttpCookieTrackingConfiguration cfg | cfg.hasFlowPath(cookieCreate, setCookieSink)) and
@@ -33,10 +34,15 @@ predicate isNetHttpCookieFlow(DataFlow::PathNode source, DataFlow::PathNode sink
)
}
/** Holds if `HttpOnly` of `gin-gonic/gin.Context.SetCookie` is set to `false` or not set (default value is used). */
predicate isGinContextCookieFlow(DataFlow::PathNode source, DataFlow::PathNode sink) {
any(BoolToGinSetCookieTrackingConfiguration cfg).hasFlowPath(source, sink)
}
/**
* Holds if there is gorilla cookie store creation to `Save` path and
* `HttpOnly` is set to `false` or not set (default value is used).
*/
predicate isGorillaSessionsCookieFlow(DataFlow::PathNode source, DataFlow::PathNode sink) {
exists(DataFlow::PathNode cookieStoreCreate, DataFlow::PathNode sessionSave |
any(GorillaCookieStoreSaveTrackingConfiguration cfg).hasFlowPath(cookieStoreCreate, sessionSave) and