Merge pull request #9116 from smowton/smowton/feature/accept-conditional-cookie-security

Java: tolerate `cookie.setSecure(request.isSecure())`

java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

@@ -13,6 +13,18 @@
 
 import java
 import semmle.code.java.frameworks.Servlets
+import semmle.code.java.dataflow.DataFlow
+
+predicate isSafeSecureCookieSetting(Expr e) {
+  e.(CompileTimeConstantExpr).getBooleanValue() = true
+  or
+  exists(Method isSecure |
+    isSecure.getName() = "isSecure" and
+    isSecure.getDeclaringType().getASourceSupertype*() instanceof ServletRequest
+  |
+    e.(MethodAccess).getMethod() = isSecure
+  )
+}
 
 from MethodAccess add
 where
@@ -20,7 +32,12 @@ where
   not exists(Variable cookie, MethodAccess m |
     add.getArgument(0) = cookie.getAnAccess() and
     m.getMethod().getName() = "setSecure" and
-    m.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true and
+    forex(DataFlow::Node argSource |
+      DataFlow::localFlow(argSource, DataFlow::exprNode(m.getArgument(0))) and
+      not DataFlow::localFlowStep(_, argSource)
+    |
+      isSafeSecureCookieSetting(argSource.asExpr())
+    ) and
     m.getQualifier() = cookie.getAnAccess()
   )
 select add, "Cookie is added to response without the 'secure' flag being set."