Merge pull request #16933 from joefarebrother/python-cookie-concept-promote

Python: Promote the insecure cookie query from experimental
2026-05-02 20:25:13 +02:00 · 2024-08-07 09:06:05 +01:00
parent e222b49258 24df54804a
commit 62c2fe6b17
39 changed files with 347 additions and 490 deletions
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -405,7 +405,10 @@ module HttpServerHttpRedirectResponseTest implements TestSig {

 module HttpServerCookieWriteTest implements TestSig {
  string getARelevantTag() {
-    result in ["CookieWrite", "CookieRawHeader", "CookieName", "CookieValue"]
+    result in [
+        "CookieWrite", "CookieRawHeader", "CookieName", "CookieValue", "CookieSecure",
+        "CookieHttpOnly", "CookieSameSite"
+      ]
  }

  predicate hasActualResult(Location location, string element, string tag, string value) {
@@ -428,6 +431,20 @@ module HttpServerCookieWriteTest implements TestSig {
        element = cookieWrite.toString() and
        value = prettyNodeForInlineTest(cookieWrite.getValueArg()) and
        tag = "CookieValue"
+        or
+        element = cookieWrite.toString() and
+        value = any(boolean b | cookieWrite.hasSecureFlag(b)).toString() and
+        tag = "CookieSecure"
+        or
+        element = cookieWrite.toString() and
+        value = any(boolean b | cookieWrite.hasHttpOnlyFlag(b)).toString() and
+        tag = "CookieHttpOnly"
+        or
+        element = cookieWrite.toString() and
+        value =
+          any(Http::Server::CookieWrite::SameSiteValue v | cookieWrite.hasSameSiteAttribute(v))
+              .toString() and
+        tag = "CookieSameSite"
      )
    )
  }
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.expected
@@ -1,30 +0,0 @@
-| django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
-| django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
-| django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
-| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
-| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
-| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
-| django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
-| django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
-| django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
-| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
-| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
-| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
-| django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
-| django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
-| django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
-| flask_bad.py:9:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
-| flask_bad.py:9:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
-| flask_bad.py:9:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
-| flask_bad.py:17:5:17:30 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
-| flask_bad.py:17:5:17:30 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
-| flask_bad.py:17:5:17:30 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
-| flask_bad.py:24:5:25:52 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
-| flask_bad.py:24:5:25:52 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
-| flask_bad.py:24:5:25:52 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
-| flask_bad.py:32:5:32:30 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
-| flask_bad.py:32:5:32:30 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
-| flask_bad.py:32:5:32:30 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
-| flask_good.py:23:5:23:57 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
-| flask_good.py:23:5:23:57 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
-| flask_good.py:23:5:23:57 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.qlref
@@ -1 +0,0 @@
-experimental/Security/CWE-614/InsecureCookie.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py
@@ -1,28 +0,0 @@
-import django.http
-
-
-def django_response(request):
-    resp = django.http.HttpResponse()
-    resp.set_cookie("name", "value", secure=False,
-                    httponly=False, samesite='None')
-    return resp
-
-
-def django_response():
-    response = django.http.HttpResponse()
-    response['Set-Cookie'] = "name=value; SameSite=None;"
-    return response
-
-
-def django_response(request):
-    resp = django.http.HttpResponse()
-    resp.set_cookie(django.http.request.GET.get("name"),
-                    django.http.request.GET.get("value"),
-                    secure=False, httponly=False, samesite='None')
-    return resp
-
-
-def django_response():
-    response = django.http.HttpResponse()
-    response['Set-Cookie'] = f"{django.http.request.GET.get('name')}={django.http.request.GET.get('value')}; SameSite=None;"
-    return response
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/django_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/django_good.py
@@ -1,20 +0,0 @@
-import django.http
-
-
-def django_response(request):
-    resp = django.http.HttpResponse()
-    resp['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Lax;"
-    return resp
-
-
-def django_response(request):
-    resp = django.http.HttpResponse()
-    resp.set_cookie("name", "value", secure=True,
-                    httponly=True, samesite='Lax')
-    return resp
-
-
-def indeterminate(secure):
-    resp = django.http.HttpResponse()
-    resp.set_cookie("name", "value", secure)
-    return resp
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py
@@ -1,37 +0,0 @@
-from flask import Flask, request, make_response, Response
-
-app = Flask(__name__)
-
-
-@app.route("/1")
-def false():
-    resp = make_response()
-    resp.set_cookie("name", value="value", secure=False,
-                    httponly=False, samesite='None')
-    return resp
-
-
-@app.route("/2")
-def flask_Response():
-    resp = Response()
-    resp.headers['Set-Cookie'] = "name=value; SameSite=None;"
-    return resp
-
-
-@app.route("/3")
-def false():
-    resp = make_response()
-    resp.set_cookie(request.args["name"], value=request.args["value"], secure=False,
-                    httponly=False, samesite='None')
-    return resp
-
-
-@app.route("/4")
-def flask_Response():
-    resp = Response()
-    resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['value']}; SameSite=None;"
-    return resp
-
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py
@@ -1,28 +0,0 @@
-from flask import Flask, request, make_response, Response
-
-app = Flask(__name__)
-
-
-@app.route("/1")
-def true():
-    resp = make_response()
-    resp.set_cookie("name", value="value", secure=True,
-                    httponly=True, samesite='Lax')
-    return resp
-
-
-@app.route("/2")
-def flask_Response():
-    resp = Response()
-    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Lax;"
-    return resp
-
-
-def indeterminate(secure):
-    resp = make_response()
-    resp.set_cookie("name", value="value", secure=secure)
-    return resp
-
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
				`@@ -1 +0,0 @@`
				`experimental/Security/CWE-614/InsecureCookie.ql`