Merge pull request #6855 from erik-krogh/secCookie

JS: Move cookie queries out of experimental.

javascript/ql/src/Security/CWE-1004/ClientExposedCookie.qhelp

@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Authentication cookies stored by a server can be accessed by a client if the <code>httpOnly</code> flag is not set.
+</p>
+<p>
+An attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Set the <code>httpOnly</code> flag on all cookies that are not needed by the client.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example stores an authentication token in a cookie that can 
+be viewed by the client.
+</p>
+<sample src="examples/ClientExposedCookieGood.js"/>
+<p>
+To force the cookie to be transmitted using SSL, set the <code>secure</code>
+attribute on the cookie.
+</p>
+<sample src="examples/ClientExposedCookieBad.js"/>
+</example>
+
+<references>
+<li>ExpressJS: <a href="https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely">Use cookies securely</a>.</li>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately">Set cookie flags appropriately</a>.</li>
+<li>Mozilla: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
+</references>
+
+</qhelp>

javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Sensitive server cookie exposed to the client
+ * @description Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id js/client-exposed-cookie
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import javascript
+
+from CookieWrites::CookieWrite cookie
+where
+  cookie.isSensitive() and
+  cookie.isServerSide() and
+  not cookie.isHttpOnly()
+select cookie, "Sensitive server cookie is missing 'httpOnly' flag."

javascript/ql/src/Security/CWE-1004/examples/ClientExposedCookieBad.js

@@ -0,0 +1,7 @@
+const http = require('http');
+
+const server = http.createServer((req, res) => {
+    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}`);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end('<h2>Hello world</h2>');
+});

javascript/ql/src/Security/CWE-1004/examples/ClientExposedCookieGood.js

@@ -0,0 +1,7 @@
+const http = require('http');
+
+const server = http.createServer((req, res) => {
+    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly`);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end('<h2>Hello world</h2>');
+});

javascript/ql/src/Security/CWE-614/ClearTextCookie.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Cookies that are transmitted in clear text can be intercepted by an attacker.
+If sensitive cookies are intercepted, the attacker can read the cookie and
+use it to perform actions on the user's behalf.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Always transmit sensitive cookies using SSL by setting the <code>secure</code>
+attribute on the cookie.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example stores an authentication token in a cookie that can 
+be transmitted in clear text.
+</p>
+<sample src="examples/ClearTextCookieBad.js"/>
+<p>
+To force the cookie to be transmitted using SSL, set the <code>secure</code>
+attribute on the cookie.
+</p>
+<sample src="examples/ClearTextCookieGood.js"/>
+</example>
+
+<references>
+<li>ExpressJS: <a href="https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely">Use cookies securely</a>.</li>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately">Set cookie flags appropriately</a>.</li>
+<li>Mozilla: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-614/ClearTextCookie.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Clear text transmission of sensitive cookie
+ * @description Sending sensitive information in a cookie without requring SSL encryption
+ *              can expose the cookie to an attacker.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id js/clear-text-cookie
+ * @tags security
+ *       external/cwe/cwe-614
+ *       external/cwe/cwe-311
+ *       external/cwe/cwe-312
+ */
+
+import javascript
+
+from CookieWrites::CookieWrite cookie
+where cookie.isSensitive() and not cookie.isSecure()
+select cookie, "Sensitive cookie sent without enforcing SSL encryption"

javascript/ql/src/Security/CWE-614/examples/ClearTextCookieBad.js

@@ -0,0 +1,7 @@
+const http = require('http');
+
+const server = http.createServer((req, res) => {
+    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}`);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end('<h2>Hello world</h2>');
+});

javascript/ql/src/Security/CWE-614/examples/ClearTextCookieGood.js

@@ -0,0 +1,7 @@
+const http = require('http');
+
+const server = http.createServer((req, res) => {
+    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly`);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end('<h2>Hello world</h2>');
+});