hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Presere behaviour for insecure cookie constructor

Browse Source
This commit is contained in:
Joe Farebrother
2025-10-17 15:13:31 +01:00
parent d3ea6758c3
commit a1864edcb6
1 changed files with 13 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
View File

@@ -30,11 +30,15 @@ predicate cookieAppendSecureByDefault() {
OnAppendCookieSecureTracking::flowTo(_)
}
predicate secureFalseOrNotSet(ObjectCreation oc) {
predicate secureFalse(ObjectCreation oc) {
exists(Assignment a |
getAValueForProp(oc, a, "Secure") = a.getRValue() and
a.getRValue().getValue() = "false"
)
}
predicate secureFalseOrNotSet(ObjectCreation oc) {
secureFalse(oc)
or
not isPropertySet(oc, "Secure")
}
@@ -58,12 +62,13 @@ predicate insecureCookieAppend(Expr sink) {
)
}
predicate insecureCookieCreationFromConfig(Expr sink) {
// `Secure` property in `System.Web.HttpCookie` wasn't set, so a default value from config is used
exists(ObjectCreation oc |
oc = sink and
oc.getType() instanceof SystemWebHttpCookie and
not isPropertySet(oc, "Secure") and
predicate insecureCookieCreation(ObjectCreation oc) {
oc.getType() instanceof SystemWebHttpCookie and
(
secureFalse(oc)
or
// `Secure` property in `System.Web.HttpCookie` wasn't set, so a default value from config is used
isPropertySet(oc, "Secure") and
// the default in config is not set to `true`
// the `exists` below covers the `cs/web/requiressl-not-set`
not exists(XmlElement element |
@@ -84,27 +89,9 @@ predicate insecureCookieCall(Call c) {
insecureCookieAppend(c)
)
or
insecureCookieCreationFromConfig(c)
insecureCookieCreation(c)
}
// predicate insecureCookieCreationAssignment(Assignment a, Expr val) {
// exists(ObjectCreation oc |
// getAValueForProp(oc, a, "Secure") = val and
// val.getValue() = "false" and
// (
// oc.getType() instanceof SystemWebHttpCookie
// or
// oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
// // there is no callback `OnAppendCookie` that sets `Secure` to true
// not OnAppendCookieSecureTracking::flowTo(_) and
// // the cookie option is passed to `Append`
// exists(DataFlow::Node creation |
// CookieOptionsTracking::flow(creation, _) and
// creation.asExpr() = oc
// )
// )
// )
// }
predicate insecureSecurePolicyAssignment(Assignment a, Expr val) {
exists(PropertyWrite pw |
(