hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: add some rb/weak-cookie-configuration tests

Browse Source
This commit is contained in:
Alex Ford
2021-12-05 23:18:00 +00:00
parent 8976469d9b
commit 71c5711eb3
3 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ruby/ql/test/query-tests/security/cwe-732/WeakCookieConfiguration.expected Normal file
View File

@@ -0,0 +1,5 @@
| app/config/application.rb:14:5:14:50 | call to encrypted_cookie_cipher= | DES is a weak cipher. |
| app/config/application.rb:17:5:17:50 | call to encrypted_cookie_cipher= | AES-256-ECB is a weak cipher. |
| app/config/application.rb:23:5:23:62 | call to use_authenticated_cookie_encryption= | use_authenticated_cookie_encryption=false selects a weaker block mode for authenticated cookies. |
| app/config/application.rb:32:5:32:55 | call to cookies_same_site_protection= | Setting 'SameSite' to 'None' may make an application more vulnerable to CSRF attacks. |
| app/config/application.rb:35:5:35:55 | call to cookies_same_site_protection= | Unsetting 'SameSite' can disable same-site cookie restrictions in some browsers. |

1
ruby/ql/test/query-tests/security/cwe-732/WeakCookieConfiguration.qlref Normal file
View File

@@ -0,0 +1 @@
queries/security/cwe-732/WeakCookieConfiguration.ql

37
ruby/ql/test/query-tests/security/cwe-732/app/config/application.rb Normal file
View File

@@ -0,0 +1,37 @@
require 'rails'
module App
class Application < Rails::Application
config.load_defaults 6.0
# GOOD: strong cipher
config.action_dispatch.encrypted_cookie_cipher = "aes-256-gcm"
# GOOD: strong cipher
config.action_dispatch.encrypted_cookie_cipher = "ChaCha"
# BAD: weak block encryption algorithm
config.action_dispatch.encrypted_cookie_cipher = "DES"
# BAD: weak block encryption mode
config.action_dispatch.encrypted_cookie_cipher = "AES-256-ECB"
# GOOD
config.action_dispatch.use_authenticated_cookie_encryption = true
# BAD: less secure block encryption mode
config.action_dispatch.use_authenticated_cookie_encryption = false
# GOOD
config.action_dispatch.cookies_same_site_protection = :lax
# GOOD
config.action_dispatch.cookies_same_site_protection = "strict"
# BAD: disabling same-site protections for sending cookies
config.action_dispatch.cookies_same_site_protection = :none
# BAD: not all browsers default to `lax` if unset
config.action_dispatch.cookies_same_site_protection = nil
end
end