check for sensitive property name

2026-04-30 19:26:02 +02:00 · 2021-05-03 00:31:29 +03:00
parent 7ab91bb185
commit 97bc7e38d2
3 changed files with 14 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
@@ -53,7 +53,8 @@ module Cookie {
      exists(string val |
        (
          val = expr.getStringValue() or
-          val = expr.asExpr().(VarAccess).getName()
+          val = expr.asExpr().(VarAccess).getName() or
+          val = expr.(DataFlow::PropRead).getPropertyName()
        ) and
        regexpMatchAuth(val)
      )
--- a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
@@ -14,3 +14,4 @@
 | test_responseCookie.js:65:5:65:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:106:5:106:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
--- a/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
@@ -96,6 +96,17 @@ app.get('/a', function (req, res, next) {
    res.end('ok')
 })

+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    options.httpOnly = false;
+    let o = { session: "blabla" }
+    res.cookie(o.session, 'value', options); // BAD, var name likely auth related
+    res.end('ok')
+})
+
 app.get('/a', function (req, res, next) {
    let options = {
        maxAge: 9000000000,