Add tests

go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected

@@ -0,0 +1,139 @@
+#select
+| CookieWithoutHttpOnly.go:14:2:14:22 | call to SetCookie | CookieWithoutHttpOnly.go:11:10:11:18 | "session" | CookieWithoutHttpOnly.go:14:20:14:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:11:10:11:18 | "session" | session |
+| CookieWithoutHttpOnly.go:23:2:23:22 | call to SetCookie | CookieWithoutHttpOnly.go:19:13:19:21 | "session" | CookieWithoutHttpOnly.go:23:20:23:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:19:13:19:21 | "session" | session |
+| CookieWithoutHttpOnly.go:50:2:50:22 | call to SetCookie | CookieWithoutHttpOnly.go:46:10:46:18 | "session" | CookieWithoutHttpOnly.go:50:20:50:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:46:10:46:18 | "session" | session |
+| CookieWithoutHttpOnly.go:60:2:60:22 | call to SetCookie | CookieWithoutHttpOnly.go:56:13:56:21 | "session" | CookieWithoutHttpOnly.go:60:20:60:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:56:13:56:21 | "session" | session |
+| CookieWithoutHttpOnly.go:90:2:90:22 | call to SetCookie | CookieWithoutHttpOnly.go:86:10:86:18 | "session" | CookieWithoutHttpOnly.go:90:20:90:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:86:10:86:18 | "session" | session |
+| CookieWithoutHttpOnly.go:109:2:109:22 | call to SetCookie | CookieWithoutHttpOnly.go:103:10:103:18 | "session" | CookieWithoutHttpOnly.go:109:20:109:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:103:10:103:18 | "session" | session |
+| CookieWithoutHttpOnly.go:119:2:119:22 | call to SetCookie | CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | CookieWithoutHttpOnly.go:119:20:119:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | login_name |
+| CookieWithoutHttpOnly.go:119:2:119:22 | call to SetCookie | CookieWithoutHttpOnly.go:115:10:115:16 | session | CookieWithoutHttpOnly.go:119:20:119:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:115:10:115:16 | session | session |
+| CookieWithoutHttpOnly.go:131:4:131:71 | call to SetCookie | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | session |
+edges
+| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | CookieWithoutHttpOnly.go:14:21:14:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:11:10:11:18 | "session" | CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:14:21:14:21 | c | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:14:21:14:21 | c | CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | CookieWithoutHttpOnly.go:23:21:23:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:19:13:19:21 | "session" | CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:23:21:23:21 | c | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:23:21:23:21 | c | CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | CookieWithoutHttpOnly.go:32:21:32:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:28:13:28:21 | "session" | CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:32:21:32:21 | c | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:32:21:32:21 | c | CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | CookieWithoutHttpOnly.go:41:21:41:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:37:10:37:18 | "session" | CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:41:21:41:21 | c | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:41:21:41:21 | c | CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | CookieWithoutHttpOnly.go:50:21:50:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:46:10:46:18 | "session" | CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:50:21:50:21 | c | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:50:21:50:21 | c | CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | CookieWithoutHttpOnly.go:60:21:60:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:56:13:56:21 | "session" | CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:60:21:60:21 | c | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:60:21:60:21 | c | CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | CookieWithoutHttpOnly.go:70:21:70:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:66:13:66:21 | "session" | CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:70:21:70:21 | c | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:70:21:70:21 | c | CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | CookieWithoutHttpOnly.go:80:21:80:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:76:10:76:18 | "session" | CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:80:21:80:21 | c | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:80:21:80:21 | c | CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | CookieWithoutHttpOnly.go:90:21:90:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:86:10:86:18 | "session" | CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:90:21:90:21 | c | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:90:21:90:21 | c | CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:103:10:103:18 | "session" | CookieWithoutHttpOnly.go:105:10:105:13 | name | provenance |  |
+| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | CookieWithoutHttpOnly.go:109:21:109:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:105:10:105:13 | name | CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:109:21:109:21 | c | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:109:21:109:21 | c | CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | CookieWithoutHttpOnly.go:115:10:115:16 | session | provenance |  |
+| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | CookieWithoutHttpOnly.go:119:21:119:21 | c | provenance |  |
+| CookieWithoutHttpOnly.go:115:10:115:16 | session | CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | provenance | Config |
+| CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:119:21:119:21 | c | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance |  |
+| CookieWithoutHttpOnly.go:119:21:119:21 | c | CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | provenance |  |
+nodes
+| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:11:10:11:18 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:14:20:14:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:14:21:14:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:19:13:19:21 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:23:20:23:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:23:21:23:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:28:13:28:21 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:32:20:32:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:32:21:32:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:37:10:37:18 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:41:20:41:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:41:21:41:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:46:10:46:18 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:50:20:50:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:50:21:50:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:56:13:56:21 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:60:20:60:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:60:21:60:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:66:13:66:21 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:70:20:70:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:70:21:70:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:76:10:76:18 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:80:20:80:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:80:21:80:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:86:10:86:18 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:90:20:90:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:90:21:90:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:103:10:103:18 | "session" | semmle.label | "session" |
+| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:105:10:105:13 | name | semmle.label | name |
+| CookieWithoutHttpOnly.go:109:20:109:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:109:21:109:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | semmle.label | "login_name" |
+| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | semmle.label | struct literal |
+| CookieWithoutHttpOnly.go:115:10:115:16 | session | semmle.label | session |
+| CookieWithoutHttpOnly.go:119:20:119:21 | &... | semmle.label | &... |
+| CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | semmle.label | &... [pointer] |
+| CookieWithoutHttpOnly.go:119:21:119:21 | c | semmle.label | c |
+| CookieWithoutHttpOnly.go:131:16:131:24 | "session" | semmle.label | "session" |
+subpaths

go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.go

@@ -0,0 +1,136 @@
+package main
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+func handler1(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:  "session", // $ Source
+		Value: "secret",
+	}
+	http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly set to false by default
+}
+
+func handler2(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:     "session", // $ Source
+		Value:    "secret",
+		HttpOnly: false,
+	}
+	http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false
+}
+
+func handler3(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:     "session", 
+		Value:    "secret",
+		HttpOnly: true,
+	}
+	http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true
+}
+
+func handler4(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:  "session",
+		Value: "secret",
+	}
+	c.HttpOnly = true
+	http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true
+}
+
+func handler5(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:  "session", // $ Source
+		Value: "secret",
+	}
+	c.HttpOnly = false
+	http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false
+}
+
+func handler6(w http.ResponseWriter, r *http.Request) {
+	val := false
+	c := http.Cookie{
+		Name:     "session", // $ Source
+		Value:    "secret",
+		HttpOnly: val,
+	}
+	http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false
+}
+
+func handler7(w http.ResponseWriter, r *http.Request) {
+	val := true
+	c := http.Cookie{
+		Name:     "session", 
+		Value:    "secret",
+		HttpOnly: val,
+	}
+	http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true
+}
+
+func handler8(w http.ResponseWriter, r *http.Request) {
+	val := true
+	c := http.Cookie{
+		Name:  "session",
+		Value: "secret",
+	}
+	c.HttpOnly = val
+	http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true
+}
+
+func handler9(w http.ResponseWriter, r *http.Request) {
+	val := false
+	c := http.Cookie{
+		Name:  "session", // $ Source
+		Value: "secret",
+	}
+	c.HttpOnly = val
+	http.SetCookie(w, &c) // $ Alert //BAD: HttpOnly explicitly set to false
+}
+
+func handler10(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:  "consent",
+		Value: "1",
+	}
+	c.HttpOnly = false
+	http.SetCookie(w, &c) // GOOD: Name is not auth related
+}
+
+func handler11(w http.ResponseWriter, r *http.Request) {
+	name := "session" // $ Source
+	c := http.Cookie{
+		Name:  name,
+		Value: "secret",
+	}
+	c.HttpOnly = false
+	http.SetCookie(w, &c) // $ Alert // BAD: auth related name
+}
+
+func handler12(w http.ResponseWriter, r *http.Request) {
+	session := "login_name" // $ Source
+	c := http.Cookie{
+		Name:  session, // $ Source
+		Value: "secret",
+	}
+	c.HttpOnly = false
+	http.SetCookie(w, &c) // $ Alert // BAD: auth related name
+}
+
+func main() {
+
+	router := gin.Default()
+
+	router.GET("/cookie", func(c *gin.Context) {
+
+		_, err := c.Cookie("session") 
+
+		if err != nil {
+			c.SetCookie("session", "test", 3600, "/", "localhost", false, false) // $ Alert // BAD: httpOnly set to false
+		}
+	})
+
+	router.Run()
+}

go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref

@@ -0,0 +1,2 @@
+query: security/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/Security/CWE-1004/go.mod

@@ -0,0 +1,8 @@
+module example.com/m
+
+go 1.14
+
+require (
+    github.com/gin-gonic/gin v1.7.1
+    github.com/gorilla/sessions v1.2.1
+    )

go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Manuel Martínez-Almeida
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go

@@ -0,0 +1,12 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/gin-gonic/gin/binding, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/gin-gonic/gin/binding (exports: ; functions: YAML)
+
+// Package binding is a stub of github.com/gin-gonic/gin/binding, generated by depstubber.
+package binding
+
+import ()
+
+var YAML interface{} = nil

go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go

@@ -0,0 +1,677 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/gin-gonic/gin (exports: Context; functions: Default)
+
+// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber.
+package gin
+
+import (
+	bufio "bufio"
+	template "html/template"
+	io "io"
+	multipart "mime/multipart"
+	net "net"
+	http "net/http"
+	time "time"
+)
+
+type Context struct {
+	Request  *http.Request
+	Writer   ResponseWriter
+	Params   Params
+	Keys     map[string]interface{}
+	Errors   interface{}
+	Accepted []string
+}
+
+func (_ *Context) Abort() {}
+
+func (_ *Context) AbortWithError(_ int, _ error) *Error {
+	return nil
+}
+
+func (_ *Context) AbortWithStatus(_ int) {}
+
+func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {}
+
+func (_ *Context) AsciiJSON(_ int, _ interface{}) {}
+
+func (_ *Context) Bind(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindHeader(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindJSON(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindQuery(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindUri(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindWith(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindXML(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindYAML(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ClientIP() string {
+	return ""
+}
+
+func (_ *Context) ContentType() string {
+	return ""
+}
+
+func (_ *Context) Cookie(_ string) (string, error) {
+	return "", nil
+}
+
+func (_ *Context) Copy() *Context {
+	return nil
+}
+
+func (_ *Context) Data(_ int, _ string, _ []byte) {}
+
+func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {}
+
+func (_ *Context) Deadline() (time.Time, bool) {
+	return time.Time{}, false
+}
+
+func (_ *Context) DefaultPostForm(_ string, _ string) string {
+	return ""
+}
+
+func (_ *Context) DefaultQuery(_ string, _ string) string {
+	return ""
+}
+
+func (_ *Context) Done() <-chan struct{} {
+	return nil
+}
+
+func (_ *Context) Err() error {
+	return nil
+}
+
+func (_ *Context) Error(_ error) *Error {
+	return nil
+}
+
+func (_ *Context) File(_ string) {}
+
+func (_ *Context) FileAttachment(_ string, _ string) {}
+
+func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {}
+
+func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) {
+	return nil, nil
+}
+
+func (_ *Context) FullPath() string {
+	return ""
+}
+
+func (_ *Context) Get(_ string) (interface{}, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetBool(_ string) bool {
+	return false
+}
+
+func (_ *Context) GetDuration(_ string) time.Duration {
+	return 0
+}
+
+func (_ *Context) GetFloat64(_ string) float64 {
+	return 0
+}
+
+func (_ *Context) GetHeader(_ string) string {
+	return ""
+}
+
+func (_ *Context) GetInt(_ string) int {
+	return 0
+}
+
+func (_ *Context) GetInt64(_ string) int64 {
+	return 0
+}
+
+func (_ *Context) GetPostForm(_ string) (string, bool) {
+	return "", false
+}
+
+func (_ *Context) GetPostFormArray(_ string) ([]string, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetQuery(_ string) (string, bool) {
+	return "", false
+}
+
+func (_ *Context) GetQueryArray(_ string) ([]string, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetRawData() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Context) GetString(_ string) string {
+	return ""
+}
+
+func (_ *Context) GetStringMap(_ string) map[string]interface{} {
+	return nil
+}
+
+func (_ *Context) GetStringMapString(_ string) map[string]string {
+	return nil
+}
+
+func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string {
+	return nil
+}
+
+func (_ *Context) GetStringSlice(_ string) []string {
+	return nil
+}
+
+func (_ *Context) GetTime(_ string) time.Time {
+	return time.Time{}
+}
+
+func (_ *Context) GetUint(_ string) uint {
+	return 0
+}
+
+func (_ *Context) GetUint64(_ string) uint64 {
+	return 0
+}
+
+func (_ *Context) HTML(_ int, _ string, _ interface{}) {}
+
+func (_ *Context) Handler() HandlerFunc {
+	return nil
+}
+
+func (_ *Context) HandlerName() string {
+	return ""
+}
+
+func (_ *Context) HandlerNames() []string {
+	return nil
+}
+
+func (_ *Context) Header(_ string, _ string) {}
+
+func (_ *Context) IndentedJSON(_ int, _ interface{}) {}
+
+func (_ *Context) IsAborted() bool {
+	return false
+}
+
+func (_ *Context) IsWebsocket() bool {
+	return false
+}
+
+func (_ *Context) JSON(_ int, _ interface{}) {}
+
+func (_ *Context) JSONP(_ int, _ interface{}) {}
+
+func (_ *Context) MultipartForm() (*multipart.Form, error) {
+	return nil, nil
+}
+
+func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *Context) MustGet(_ string) interface{} {
+	return nil
+}
+
+func (_ *Context) Negotiate(_ int, _ Negotiate) {}
+
+func (_ *Context) NegotiateFormat(_ ...string) string {
+	return ""
+}
+
+func (_ *Context) Next() {}
+
+func (_ *Context) Param(_ string) string {
+	return ""
+}
+
+func (_ *Context) PostForm(_ string) string {
+	return ""
+}
+
+func (_ *Context) PostFormArray(_ string) []string {
+	return nil
+}
+
+func (_ *Context) PostFormMap(_ string) map[string]string {
+	return nil
+}
+
+func (_ *Context) ProtoBuf(_ int, _ interface{}) {}
+
+func (_ *Context) PureJSON(_ int, _ interface{}) {}
+
+func (_ *Context) Query(_ string) string {
+	return ""
+}
+
+func (_ *Context) QueryArray(_ string) []string {
+	return nil
+}
+
+func (_ *Context) QueryMap(_ string) map[string]string {
+	return nil
+}
+
+func (_ *Context) Redirect(_ int, _ string) {}
+
+func (_ *Context) RemoteIP() (net.IP, bool) {
+	return nil, false
+}
+
+func (_ *Context) Render(_ int, _ interface{}) {}
+
+func (_ *Context) SSEvent(_ string, _ interface{}) {}
+
+func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error {
+	return nil
+}
+
+func (_ *Context) SecureJSON(_ int, _ interface{}) {}
+
+func (_ *Context) Set(_ string, _ interface{}) {}
+
+func (_ *Context) SetAccepted(_ ...string) {}
+
+func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {}
+
+func (_ *Context) SetSameSite(_ http.SameSite) {}
+
+func (_ *Context) ShouldBind(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindHeader(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindJSON(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindQuery(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindUri(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindXML(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindYAML(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) Status(_ int) {}
+
+func (_ *Context) Stream(_ func(io.Writer) bool) bool {
+	return false
+}
+
+func (_ *Context) String(_ int, _ string, _ ...interface{}) {}
+
+func (_ *Context) Value(_ interface{}) interface{} {
+	return nil
+}
+
+func (_ *Context) XML(_ int, _ interface{}) {}
+
+func (_ *Context) YAML(_ int, _ interface{}) {}
+
+func Default() *Engine {
+	return nil
+}
+
+type Engine struct {
+	RouterGroup            RouterGroup
+	RedirectTrailingSlash  bool
+	RedirectFixedPath      bool
+	HandleMethodNotAllowed bool
+	ForwardedByClientIP    bool
+	RemoteIPHeaders        []string
+	TrustedProxies         []string
+	AppEngine              bool
+	UseRawPath             bool
+	UnescapePathValues     bool
+	MaxMultipartMemory     int64
+	RemoveExtraSlash       bool
+	HTMLRender             interface{}
+	FuncMap                template.FuncMap
+}
+
+func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) BasePath() string {
+	return ""
+}
+
+func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Delims(_ string, _ string) *Engine {
+	return nil
+}
+
+func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup {
+	return nil
+}
+
+func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) HandleContext(_ *Context) {}
+
+func (_ *Engine) LoadHTMLFiles(_ ...string) {}
+
+func (_ *Engine) LoadHTMLGlob(_ string) {}
+
+func (_ *Engine) NoMethod(_ ...HandlerFunc) {}
+
+func (_ *Engine) NoRoute(_ ...HandlerFunc) {}
+
+func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Routes() RoutesInfo {
+	return nil
+}
+
+func (_ *Engine) Run(_ ...string) error {
+	return nil
+}
+
+func (_ *Engine) RunFd(_ int) error {
+	return nil
+}
+
+func (_ *Engine) RunListener(_ net.Listener) error {
+	return nil
+}
+
+func (_ *Engine) RunTLS(_ string, _ string, _ string) error {
+	return nil
+}
+
+func (_ *Engine) RunUnix(_ string) error {
+	return nil
+}
+
+func (_ *Engine) SecureJsonPrefix(_ string) *Engine {
+	return nil
+}
+
+func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+func (_ *Engine) SetFuncMap(_ template.FuncMap) {}
+
+func (_ *Engine) SetHTMLTemplate(_ *template.Template) {}
+
+func (_ *Engine) Static(_ string, _ string) IRoutes {
+	return nil
+}
+
+func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes {
+	return nil
+}
+
+func (_ *Engine) StaticFile(_ string, _ string) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Use(_ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+type Error struct {
+	Err  error
+	Type ErrorType
+	Meta interface{}
+}
+
+func (_ Error) Error() string {
+	return ""
+}
+
+func (_ *Error) IsType(_ ErrorType) bool {
+	return false
+}
+
+func (_ *Error) JSON() interface{} {
+	return nil
+}
+
+func (_ *Error) MarshalJSON() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Error) SetMeta(_ interface{}) *Error {
+	return nil
+}
+
+func (_ *Error) SetType(_ ErrorType) *Error {
+	return nil
+}
+
+func (_ *Error) Unwrap() error {
+	return nil
+}
+
+type ErrorType uint64
+
+type HandlerFunc func(*Context)
+
+type HandlersChain []HandlerFunc
+
+func (_ HandlersChain) Last() HandlerFunc {
+	return nil
+}
+
+type IRoutes interface {
+	Any(_ string, _ ...HandlerFunc) IRoutes
+	DELETE(_ string, _ ...HandlerFunc) IRoutes
+	GET(_ string, _ ...HandlerFunc) IRoutes
+	HEAD(_ string, _ ...HandlerFunc) IRoutes
+	Handle(_ string, _ string, _ ...HandlerFunc) IRoutes
+	OPTIONS(_ string, _ ...HandlerFunc) IRoutes
+	PATCH(_ string, _ ...HandlerFunc) IRoutes
+	POST(_ string, _ ...HandlerFunc) IRoutes
+	PUT(_ string, _ ...HandlerFunc) IRoutes
+	Static(_ string, _ string) IRoutes
+	StaticFS(_ string, _ http.FileSystem) IRoutes
+	StaticFile(_ string, _ string) IRoutes
+	Use(_ ...HandlerFunc) IRoutes
+}
+
+type Negotiate struct {
+	Offered  []string
+	HTMLName string
+	HTMLData interface{}
+	JSONData interface{}
+	XMLData  interface{}
+	YAMLData interface{}
+	Data     interface{}
+}
+
+type Param struct {
+	Key   string
+	Value string
+}
+
+type Params []Param
+
+func (_ Params) ByName(_ string) string {
+	return ""
+}
+
+func (_ Params) Get(_ string) (string, bool) {
+	return "", false
+}
+
+type ResponseWriter interface {
+	CloseNotify() <-chan bool
+	Flush()
+	Header() http.Header
+	Hijack() (net.Conn, *bufio.ReadWriter, error)
+	Pusher() http.Pusher
+	Size() int
+	Status() int
+	Write(_ []byte) (int, error)
+	WriteHeader(_ int)
+	WriteHeaderNow()
+	WriteString(_ string) (int, error)
+	Written() bool
+}
+
+type RouteInfo struct {
+	Method      string
+	Path        string
+	Handler     string
+	HandlerFunc HandlerFunc
+}
+
+type RouterGroup struct {
+	Handlers HandlersChain
+}
+
+func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) BasePath() string {
+	return ""
+}
+
+func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup {
+	return nil
+}
+
+func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) Static(_ string, _ string) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+type RoutesInfo []RouteInfo

go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go

@@ -0,0 +1,75 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
+
+// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
+package sessions
+
+import (
+	http "net/http"
+)
+
+type CookieStore struct {
+	Codecs  []interface{}
+	Options *Options
+}
+
+func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
+	return nil, nil
+}
+
+func (_ *CookieStore) MaxAge(_ int) {}
+
+func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
+	return nil, nil
+}
+
+func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
+	return nil
+}
+
+func NewCookieStore(_ ...[]byte) *CookieStore {
+	return nil
+}
+
+type Options struct {
+	Path     string
+	Domain   string
+	MaxAge   int
+	Secure   bool
+	HttpOnly bool
+	SameSite http.SameSite
+}
+
+type Session struct {
+	ID      string
+	Values  map[interface{}]interface{}
+	Options *Options
+	IsNew   bool
+}
+
+func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
+
+func (_ *Session) Flashes(_ ...string) []interface{} {
+	return nil
+}
+
+func (_ *Session) Name() string {
+	return ""
+}
+
+func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
+	return nil
+}
+
+func (_ *Session) Store() Store {
+	return nil
+}
+
+type Store interface {
+	Get(_ *http.Request, _ string) (*Session, error)
+	New(_ *http.Request, _ string) (*Session, error)
+	Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
+}

go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/gin-gonic/gin v1.7.1
+## explicit
+github.com/gin-gonic/gin
+# github.com/gorilla/sessions v1.2.1
+## explicit
+github.com/gorilla/sessions

go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.expected

@@ -0,0 +1,6 @@
+| CookieWithoutSecure.go:14:2:14:22 | call to SetCookie | Cookie does not set Secure attribute to true. |
+| CookieWithoutSecure.go:23:2:23:22 | call to SetCookie | Cookie does not set Secure attribute to true. |
+| CookieWithoutSecure.go:50:2:50:22 | call to SetCookie | Cookie does not set Secure attribute to true. |
+| CookieWithoutSecure.go:60:2:60:22 | call to SetCookie | Cookie does not set Secure attribute to true. |
+| CookieWithoutSecure.go:90:2:90:22 | call to SetCookie | Cookie does not set Secure attribute to true. |
+| CookieWithoutSecure.go:102:4:102:71 | call to SetCookie | Cookie does not set Secure attribute to true. |

go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.go

@@ -0,0 +1,107 @@
+package main
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+func handler1(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:  "session", // $ Source
+		Value: "secret",
+	}
+	http.SetCookie(w, &c) // $ Alert // BAD: Secure set to false by default
+}
+
+func handler2(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:     "session", // $ Source
+		Value:    "secret",
+		Secure: false,
+	}
+	http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false
+}
+
+func handler3(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:     "session", 
+		Value:    "secret",
+		Secure: true,
+	}
+	http.SetCookie(w, &c) // GOOD: Secure explicitly set to true
+}
+
+func handler4(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:  "session",
+		Value: "secret",
+	}
+	c.Secure = true
+	http.SetCookie(w, &c) // GOOD: Secure explicitly set to true
+}
+
+func handler5(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:  "session", // $ Source
+		Value: "secret",
+	}
+	c.Secure = false
+	http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false
+}
+
+func handler6(w http.ResponseWriter, r *http.Request) {
+	val := false
+	c := http.Cookie{
+		Name:     "session", // $ Source
+		Value:    "secret",
+		Secure: val,
+	}
+	http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false
+}
+
+func handler7(w http.ResponseWriter, r *http.Request) {
+	val := true
+	c := http.Cookie{
+		Name:     "session", 
+		Value:    "secret",
+		Secure: val,
+	}
+	http.SetCookie(w, &c) // GOOD: Secure explicitly set to true
+}
+
+func handler8(w http.ResponseWriter, r *http.Request) {
+	val := true
+	c := http.Cookie{
+		Name:  "session",
+		Value: "secret",
+	}
+	c.Secure = val
+	http.SetCookie(w, &c) // GOOD: Secure explicitly set to true
+}
+
+func handler9(w http.ResponseWriter, r *http.Request) {
+	val := false
+	c := http.Cookie{
+		Name:  "session", // $ Source
+		Value: "secret",
+	}
+	c.Secure = val
+	http.SetCookie(w, &c) // $ Alert //BAD: Secure explicitly set to false
+}
+
+func main() {
+
+	router := gin.Default()
+
+	router.GET("/cookie", func(c *gin.Context) {
+
+		_, err := c.Cookie("session") 
+
+		if err != nil {
+			c.SetCookie("session", "test", 3600, "/", "localhost", false, false) // $ Alert // BAD: Secure set to false
+		}
+	})
+
+	router.Run()
+}

go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref

@@ -0,0 +1,2 @@
+query: security/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/Security/CWE-614/go.mod

@@ -0,0 +1,8 @@
+module example.com/m
+
+go 1.14
+
+require (
+    github.com/gin-gonic/gin v1.7.1
+    github.com/gorilla/sessions v1.2.1
+    )

go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Manuel Martínez-Almeida
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/binding/stub.go

@@ -0,0 +1,12 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/gin-gonic/gin/binding, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/gin-gonic/gin/binding (exports: ; functions: YAML)
+
+// Package binding is a stub of github.com/gin-gonic/gin/binding, generated by depstubber.
+package binding
+
+import ()
+
+var YAML interface{} = nil

go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/stub.go

@@ -0,0 +1,677 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/gin-gonic/gin (exports: Context; functions: Default)
+
+// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber.
+package gin
+
+import (
+	bufio "bufio"
+	template "html/template"
+	io "io"
+	multipart "mime/multipart"
+	net "net"
+	http "net/http"
+	time "time"
+)
+
+type Context struct {
+	Request  *http.Request
+	Writer   ResponseWriter
+	Params   Params
+	Keys     map[string]interface{}
+	Errors   interface{}
+	Accepted []string
+}
+
+func (_ *Context) Abort() {}
+
+func (_ *Context) AbortWithError(_ int, _ error) *Error {
+	return nil
+}
+
+func (_ *Context) AbortWithStatus(_ int) {}
+
+func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {}
+
+func (_ *Context) AsciiJSON(_ int, _ interface{}) {}
+
+func (_ *Context) Bind(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindHeader(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindJSON(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindQuery(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindUri(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindWith(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindXML(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) BindYAML(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ClientIP() string {
+	return ""
+}
+
+func (_ *Context) ContentType() string {
+	return ""
+}
+
+func (_ *Context) Cookie(_ string) (string, error) {
+	return "", nil
+}
+
+func (_ *Context) Copy() *Context {
+	return nil
+}
+
+func (_ *Context) Data(_ int, _ string, _ []byte) {}
+
+func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {}
+
+func (_ *Context) Deadline() (time.Time, bool) {
+	return time.Time{}, false
+}
+
+func (_ *Context) DefaultPostForm(_ string, _ string) string {
+	return ""
+}
+
+func (_ *Context) DefaultQuery(_ string, _ string) string {
+	return ""
+}
+
+func (_ *Context) Done() <-chan struct{} {
+	return nil
+}
+
+func (_ *Context) Err() error {
+	return nil
+}
+
+func (_ *Context) Error(_ error) *Error {
+	return nil
+}
+
+func (_ *Context) File(_ string) {}
+
+func (_ *Context) FileAttachment(_ string, _ string) {}
+
+func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {}
+
+func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) {
+	return nil, nil
+}
+
+func (_ *Context) FullPath() string {
+	return ""
+}
+
+func (_ *Context) Get(_ string) (interface{}, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetBool(_ string) bool {
+	return false
+}
+
+func (_ *Context) GetDuration(_ string) time.Duration {
+	return 0
+}
+
+func (_ *Context) GetFloat64(_ string) float64 {
+	return 0
+}
+
+func (_ *Context) GetHeader(_ string) string {
+	return ""
+}
+
+func (_ *Context) GetInt(_ string) int {
+	return 0
+}
+
+func (_ *Context) GetInt64(_ string) int64 {
+	return 0
+}
+
+func (_ *Context) GetPostForm(_ string) (string, bool) {
+	return "", false
+}
+
+func (_ *Context) GetPostFormArray(_ string) ([]string, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetQuery(_ string) (string, bool) {
+	return "", false
+}
+
+func (_ *Context) GetQueryArray(_ string) ([]string, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) {
+	return nil, false
+}
+
+func (_ *Context) GetRawData() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Context) GetString(_ string) string {
+	return ""
+}
+
+func (_ *Context) GetStringMap(_ string) map[string]interface{} {
+	return nil
+}
+
+func (_ *Context) GetStringMapString(_ string) map[string]string {
+	return nil
+}
+
+func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string {
+	return nil
+}
+
+func (_ *Context) GetStringSlice(_ string) []string {
+	return nil
+}
+
+func (_ *Context) GetTime(_ string) time.Time {
+	return time.Time{}
+}
+
+func (_ *Context) GetUint(_ string) uint {
+	return 0
+}
+
+func (_ *Context) GetUint64(_ string) uint64 {
+	return 0
+}
+
+func (_ *Context) HTML(_ int, _ string, _ interface{}) {}
+
+func (_ *Context) Handler() HandlerFunc {
+	return nil
+}
+
+func (_ *Context) HandlerName() string {
+	return ""
+}
+
+func (_ *Context) HandlerNames() []string {
+	return nil
+}
+
+func (_ *Context) Header(_ string, _ string) {}
+
+func (_ *Context) IndentedJSON(_ int, _ interface{}) {}
+
+func (_ *Context) IsAborted() bool {
+	return false
+}
+
+func (_ *Context) IsWebsocket() bool {
+	return false
+}
+
+func (_ *Context) JSON(_ int, _ interface{}) {}
+
+func (_ *Context) JSONP(_ int, _ interface{}) {}
+
+func (_ *Context) MultipartForm() (*multipart.Form, error) {
+	return nil, nil
+}
+
+func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *Context) MustGet(_ string) interface{} {
+	return nil
+}
+
+func (_ *Context) Negotiate(_ int, _ Negotiate) {}
+
+func (_ *Context) NegotiateFormat(_ ...string) string {
+	return ""
+}
+
+func (_ *Context) Next() {}
+
+func (_ *Context) Param(_ string) string {
+	return ""
+}
+
+func (_ *Context) PostForm(_ string) string {
+	return ""
+}
+
+func (_ *Context) PostFormArray(_ string) []string {
+	return nil
+}
+
+func (_ *Context) PostFormMap(_ string) map[string]string {
+	return nil
+}
+
+func (_ *Context) ProtoBuf(_ int, _ interface{}) {}
+
+func (_ *Context) PureJSON(_ int, _ interface{}) {}
+
+func (_ *Context) Query(_ string) string {
+	return ""
+}
+
+func (_ *Context) QueryArray(_ string) []string {
+	return nil
+}
+
+func (_ *Context) QueryMap(_ string) map[string]string {
+	return nil
+}
+
+func (_ *Context) Redirect(_ int, _ string) {}
+
+func (_ *Context) RemoteIP() (net.IP, bool) {
+	return nil, false
+}
+
+func (_ *Context) Render(_ int, _ interface{}) {}
+
+func (_ *Context) SSEvent(_ string, _ interface{}) {}
+
+func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error {
+	return nil
+}
+
+func (_ *Context) SecureJSON(_ int, _ interface{}) {}
+
+func (_ *Context) Set(_ string, _ interface{}) {}
+
+func (_ *Context) SetAccepted(_ ...string) {}
+
+func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {}
+
+func (_ *Context) SetSameSite(_ http.SameSite) {}
+
+func (_ *Context) ShouldBind(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindHeader(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindJSON(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindQuery(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindUri(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindXML(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) ShouldBindYAML(_ interface{}) error {
+	return nil
+}
+
+func (_ *Context) Status(_ int) {}
+
+func (_ *Context) Stream(_ func(io.Writer) bool) bool {
+	return false
+}
+
+func (_ *Context) String(_ int, _ string, _ ...interface{}) {}
+
+func (_ *Context) Value(_ interface{}) interface{} {
+	return nil
+}
+
+func (_ *Context) XML(_ int, _ interface{}) {}
+
+func (_ *Context) YAML(_ int, _ interface{}) {}
+
+func Default() *Engine {
+	return nil
+}
+
+type Engine struct {
+	RouterGroup            RouterGroup
+	RedirectTrailingSlash  bool
+	RedirectFixedPath      bool
+	HandleMethodNotAllowed bool
+	ForwardedByClientIP    bool
+	RemoteIPHeaders        []string
+	TrustedProxies         []string
+	AppEngine              bool
+	UseRawPath             bool
+	UnescapePathValues     bool
+	MaxMultipartMemory     int64
+	RemoveExtraSlash       bool
+	HTMLRender             interface{}
+	FuncMap                template.FuncMap
+}
+
+func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) BasePath() string {
+	return ""
+}
+
+func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Delims(_ string, _ string) *Engine {
+	return nil
+}
+
+func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup {
+	return nil
+}
+
+func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) HandleContext(_ *Context) {}
+
+func (_ *Engine) LoadHTMLFiles(_ ...string) {}
+
+func (_ *Engine) LoadHTMLGlob(_ string) {}
+
+func (_ *Engine) NoMethod(_ ...HandlerFunc) {}
+
+func (_ *Engine) NoRoute(_ ...HandlerFunc) {}
+
+func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Routes() RoutesInfo {
+	return nil
+}
+
+func (_ *Engine) Run(_ ...string) error {
+	return nil
+}
+
+func (_ *Engine) RunFd(_ int) error {
+	return nil
+}
+
+func (_ *Engine) RunListener(_ net.Listener) error {
+	return nil
+}
+
+func (_ *Engine) RunTLS(_ string, _ string, _ string) error {
+	return nil
+}
+
+func (_ *Engine) RunUnix(_ string) error {
+	return nil
+}
+
+func (_ *Engine) SecureJsonPrefix(_ string) *Engine {
+	return nil
+}
+
+func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+func (_ *Engine) SetFuncMap(_ template.FuncMap) {}
+
+func (_ *Engine) SetHTMLTemplate(_ *template.Template) {}
+
+func (_ *Engine) Static(_ string, _ string) IRoutes {
+	return nil
+}
+
+func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes {
+	return nil
+}
+
+func (_ *Engine) StaticFile(_ string, _ string) IRoutes {
+	return nil
+}
+
+func (_ *Engine) Use(_ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+type Error struct {
+	Err  error
+	Type ErrorType
+	Meta interface{}
+}
+
+func (_ Error) Error() string {
+	return ""
+}
+
+func (_ *Error) IsType(_ ErrorType) bool {
+	return false
+}
+
+func (_ *Error) JSON() interface{} {
+	return nil
+}
+
+func (_ *Error) MarshalJSON() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Error) SetMeta(_ interface{}) *Error {
+	return nil
+}
+
+func (_ *Error) SetType(_ ErrorType) *Error {
+	return nil
+}
+
+func (_ *Error) Unwrap() error {
+	return nil
+}
+
+type ErrorType uint64
+
+type HandlerFunc func(*Context)
+
+type HandlersChain []HandlerFunc
+
+func (_ HandlersChain) Last() HandlerFunc {
+	return nil
+}
+
+type IRoutes interface {
+	Any(_ string, _ ...HandlerFunc) IRoutes
+	DELETE(_ string, _ ...HandlerFunc) IRoutes
+	GET(_ string, _ ...HandlerFunc) IRoutes
+	HEAD(_ string, _ ...HandlerFunc) IRoutes
+	Handle(_ string, _ string, _ ...HandlerFunc) IRoutes
+	OPTIONS(_ string, _ ...HandlerFunc) IRoutes
+	PATCH(_ string, _ ...HandlerFunc) IRoutes
+	POST(_ string, _ ...HandlerFunc) IRoutes
+	PUT(_ string, _ ...HandlerFunc) IRoutes
+	Static(_ string, _ string) IRoutes
+	StaticFS(_ string, _ http.FileSystem) IRoutes
+	StaticFile(_ string, _ string) IRoutes
+	Use(_ ...HandlerFunc) IRoutes
+}
+
+type Negotiate struct {
+	Offered  []string
+	HTMLName string
+	HTMLData interface{}
+	JSONData interface{}
+	XMLData  interface{}
+	YAMLData interface{}
+	Data     interface{}
+}
+
+type Param struct {
+	Key   string
+	Value string
+}
+
+type Params []Param
+
+func (_ Params) ByName(_ string) string {
+	return ""
+}
+
+func (_ Params) Get(_ string) (string, bool) {
+	return "", false
+}
+
+type ResponseWriter interface {
+	CloseNotify() <-chan bool
+	Flush()
+	Header() http.Header
+	Hijack() (net.Conn, *bufio.ReadWriter, error)
+	Pusher() http.Pusher
+	Size() int
+	Status() int
+	Write(_ []byte) (int, error)
+	WriteHeader(_ int)
+	WriteHeaderNow()
+	WriteString(_ string) (int, error)
+	Written() bool
+}
+
+type RouteInfo struct {
+	Method      string
+	Path        string
+	Handler     string
+	HandlerFunc HandlerFunc
+}
+
+type RouterGroup struct {
+	Handlers HandlersChain
+}
+
+func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) BasePath() string {
+	return ""
+}
+
+func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup {
+	return nil
+}
+
+func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) Static(_ string, _ string) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes {
+	return nil
+}
+
+func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes {
+	return nil
+}
+
+type RoutesInfo []RouteInfo

go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go

@@ -0,0 +1,75 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
+
+// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
+package sessions
+
+import (
+	http "net/http"
+)
+
+type CookieStore struct {
+	Codecs  []interface{}
+	Options *Options
+}
+
+func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
+	return nil, nil
+}
+
+func (_ *CookieStore) MaxAge(_ int) {}
+
+func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
+	return nil, nil
+}
+
+func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
+	return nil
+}
+
+func NewCookieStore(_ ...[]byte) *CookieStore {
+	return nil
+}
+
+type Options struct {
+	Path     string
+	Domain   string
+	MaxAge   int
+	Secure   bool
+	HttpOnly bool
+	SameSite http.SameSite
+}
+
+type Session struct {
+	ID      string
+	Values  map[interface{}]interface{}
+	Options *Options
+	IsNew   bool
+}
+
+func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
+
+func (_ *Session) Flashes(_ ...string) []interface{} {
+	return nil
+}
+
+func (_ *Session) Name() string {
+	return ""
+}
+
+func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
+	return nil
+}
+
+func (_ *Session) Store() Store {
+	return nil
+}
+
+type Store interface {
+	Get(_ *http.Request, _ string) (*Session, error)
+	New(_ *http.Request, _ string) (*Session, error)
+	Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
+}

go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/gin-gonic/gin v1.7.1
+## explicit
+github.com/gin-gonic/gin
+# github.com/gorilla/sessions v1.2.1
+## explicit
+github.com/gorilla/sessions