From 7c4b76b08b0678fbff2ad51af63225d9fbc53cb4 Mon Sep 17 00:00:00 2001
From: Mauro Baluda <mbaluda@github.com>
Date: Mon, 5 Dec 2022 12:55:53 +0100
Subject: [PATCH] Update InsecureCookie.ql

---
 .../Security/CWE/CWE-614/InsecureCookie.ql    | 28 ++++++++-----------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
index c6aad828896..0766ee07134 100644
--- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
@@ -30,10 +30,16 @@ class SecureCookieConfiguration extends DataFlow::Configuration {
   SecureCookieConfiguration() { this = "SecureCookieConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
-    exists(Variable cookie, MethodAccess m |
-      source.asExpr() = cookie.getAnAccess() and
-      cookie.getAnAccess() = m.getQualifier() and
-      m.getMethod().getName() = "setSecure"
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      m.getDeclaringType() instanceof TypeCookie and
+      m.getName() = "setSecure" and
+      source.asExpr() = ma.getQualifier() and
+      forex(DataFlow::Node argSource |
+        DataFlow::localFlow(argSource, DataFlow::exprNode(ma.getArgument(0))) and
+        not DataFlow::localFlowStep(_, argSource)
+      |
+        isSafeSecureCookieSetting(argSource.asExpr())
+      )
     )
   }
 
@@ -43,18 +49,8 @@ class SecureCookieConfiguration extends DataFlow::Configuration {
   }
 }
 
-from MethodAccess add, SecureCookieConfiguration df
+from MethodAccess add
 where
   add.getMethod() instanceof ResponseAddCookieMethod and
-  not exists(Variable cookie, MethodAccess m |
-    df.hasFlow(DataFlow::exprNode(cookie.getAnAccess()), DataFlow::exprNode(add.getArgument(0))) and
-    m.getMethod().getName() = "setSecure" and
-    forex(DataFlow::Node argSource |
-      DataFlow::localFlow(argSource, DataFlow::exprNode(m.getArgument(0))) and
-      not DataFlow::localFlowStep(_, argSource)
-    |
-      isSafeSecureCookieSetting(argSource.asExpr())
-    ) and
-    m.getQualifier() = cookie.getAnAccess()
-  )
+  not any(SecureCookieConfiguration df).hasFlowToExpr(add.getArgument(0))
 select add, "Cookie is added to response without the 'secure' flag being set."