hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 07:45:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Polish CookieWrite

Browse Source
This commit is contained in:
jorgectf
2021-07-25 18:18:29 +02:00
parent 65044293dd
commit 983465963a
3 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
python/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
View File

@@ -15,16 +15,20 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.Concepts
import experimental.semmle.python.Concepts
from HeaderDeclaration headerWrite, False f, None n
from Expr cookieExpr, False f, None n
where
exists(StrConst headerName, StrConst headerValue |
exists(HeaderDeclaration headerWrite, StrConst headerName, StrConst headerValue |
headerName.getText() = "Set-Cookie" and
DataFlow::exprNode(headerName).(DataFlow::LocalSourceNode).flowsTo(headerWrite.getNameArg()) and
not headerValue.getText().regexpMatch(".*; *Secure;.*") and
DataFlow::exprNode(headerValue).(DataFlow::LocalSourceNode).flowsTo(headerWrite.getValueArg())
DataFlow::exprNode(headerValue).(DataFlow::LocalSourceNode).flowsTo(headerWrite.getValueArg()) and
cookieExpr = headerWrite.asExpr()
)
or
[DataFlow::exprNode(f), DataFlow::exprNode(n)]
.(DataFlow::LocalSourceNode)
.flowsTo(headerWrite.(DataFlow::CallCfgNode).getArgByName("secure"))
select headerWrite, "Cookie is added to response without the 'secure' flag being set."
exists(ExperimentalHTTP::CookieWrite cookieWrite |
[DataFlow::exprNode(f), DataFlow::exprNode(n)]
.(DataFlow::LocalSourceNode)
.flowsTo(cookieWrite.(DataFlow::CallCfgNode).getArgByName("secure")) and
cookieExpr = cookieWrite.asExpr()
)
select cookieExpr, "Cookie is added to response without the 'secure' flag being set."

16
python/ql/src/experimental/semmle/python/frameworks/Flask.qll
View File

@@ -81,4 +81,20 @@ module ExperimentalFlask {
override DataFlow::Node getValueArg() { result.asExpr() = item.getValue() }
}
class DjangoSetCookieCall extends DataFlow::CallCfgNode, ExperimentalHTTP::CookieWrite::Range {
DjangoSetCookieCall() {
this =
[Flask::Response::classRef(), flaskMakeResponse()]
.getReturn()
.getMember("set_cookie")
.getACall()
}
override DataFlow::Node getHeaderArg() { none() }
override DataFlow::Node getNameArg() { result = this.getArg(0) }
override DataFlow::Node getValueArg() { result = this.getArg(1) }
}
}

2
python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py
View File

@@ -9,5 +9,5 @@ def django_response(request):
def django_response(request):
resp = django.http.HttpResponse()
resp.set_cookie("name", "value")
resp.set_cookie("name", "value", secure=False)
return resp