hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor parts of SensitiveCookieNameConfig

Browse Source
This commit is contained in:
Joe Farebrother
2025-11-17 15:44:14 +00:00
parent 03d63dec2e
commit 5b702d963e
1 changed files with 19 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
go/ql/lib/semmle/go/security/SecureCookies.qll
View File

@@ -4,22 +4,24 @@ import go
import semmle.go.concepts.HTTP import semmle.go.concepts.HTTP
import semmle.go.dataflow.DataFlow import semmle.go.dataflow.DataFlow
/**
* Holds if the expression or its value has a sensitive name
*/
private predicate isSensitiveExpr(Expr expr, string val) {
(
val = expr.getStringValue() or
val = expr.(Name).getTarget().getName()
) and
val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and
not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*")
}
private module SensitiveCookieNameConfig implements DataFlow::ConfigSig { private module SensitiveCookieNameConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { isSensitiveExpr(source.asExpr(), _) } /**
* Holds if `source` is an expression with a name or literal value `val` indicating a sensitive cookie.
*/
additional predicate isSource(DataFlow::Node source, string val) {
(
val = source.asExpr().getStringValue() or
val = source.asExpr().(Name).getTarget().getName()
) and
val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and
not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*")
}
predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getName()) } predicate isSource(DataFlow::Node source) { isSource(source, _) }
additional predicate isSink(DataFlow::Node sink, Http::CookieWrite cw) { sink = cw.getName() }
predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(Http::CookieOptionWrite co | co.getName() = pred and co.getCookieOutput() = succ) exists(Http::CookieOptionWrite co | co.getName() = pred and co.getCookieOutput() = succ)
@@ -98,11 +100,10 @@ predicate isNonHttpOnlyCookie(Http::CookieWrite cw) {
* `source` and `sink` represent the data flow path from the sensitive name expression to the cookie write. * `source` and `sink` represent the data flow path from the sensitive name expression to the cookie write.
*/ */
predicate isSensitiveCookie( predicate isSensitiveCookie(
Http::CookieWrite cw, Expr nameExpr, string name, SensitiveCookieNameFlow::PathNode source, Http::CookieWrite cw, string name, SensitiveCookieNameFlow::PathNode source,
SensitiveCookieNameFlow::PathNode sink SensitiveCookieNameFlow::PathNode sink
) { ) {
SensitiveCookieNameFlow::flowPath(source, sink) and SensitiveCookieNameFlow::flowPath(source, sink) and
source.getNode().asExpr() = nameExpr and SensitiveCookieNameConfig::isSource(source.getNode(), name) and
sink.getNode() = cw.getName() and SensitiveCookieNameConfig::isSink(sink.getNode(), cw)
isSensitiveExpr(nameExpr, name)
} }