Add unit tests

2026-04-28 10:15:14 +02:00 · 2024-07-23 10:08:21 +01:00
parent b28d79960b
commit 93f70b3ad9
4 changed files with 32 additions and 1 deletions
--- a/python/ql/src/Security/CWE-614/InsecureCookie.ql
+++ b/python/ql/src/Security/CWE-614/InsecureCookie.ql
@@ -38,7 +38,7 @@ predicate hasAlert(Http::Server::CookieWrite cookie, string alert) {
    or
    numProblems = 2 and
    alert =
-      strictconcat(string prob, int idx | hasProblem(cookie, prob, idx) | " and ", prob order by idx)
+      strictconcat(string prob, int idx | hasProblem(cookie, prob, idx) | prob, " and " order by idx)
        + " attributes"
    or
    numProblems = 3 and
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
@@ -0,0 +1,10 @@
+| test.py:10:5:10:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:11:5:11:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:12:5:12:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:13:5:13:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:14:5:14:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:15:5:15:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure, HttpOnly, and SameSite attributes properly set. |
+| test.py:16:5:16:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:17:5:17:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:18:5:18:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly and SameSite attributes properly set. |
+| test.py:19:5:19:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure and SameSite attributes properly set. |
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref
@@ -0,0 +1 @@
+Security/CWE-614/InsecureCookie.ql
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
@@ -0,0 +1,20 @@
+from flask import Flask, request, make_response
+import lxml.etree
+import markupsafe
+
+app = Flask(__name__)
+
+@app.route("/test")
+def test():
+    resp = make_response()
+    resp.set_cookie("key1", "value1")
+    resp.set_cookie("key2", "value2", secure=True)
+    resp.set_cookie("key2", "value2", httponly=True)
+    resp.set_cookie("key2", "value2", samesite="Strict")
+    resp.set_cookie("key2", "value2", samesite="Lax")
+    resp.set_cookie("key2", "value2", samesite="None")
+    resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
+    resp.set_cookie("key2", "value2", secure=True, samesite="None")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None")
+    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")