hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C#: Re-factor CookieOptionsTracking to use the new API.

Browse Source
This commit is contained in:
Michael Nebel
2023-04-14 13:27:02 +02:00
parent b3de105665
commit a4ee35302d
3 changed files with 34 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
View File

@@ -38,11 +38,8 @@ where
// there is no callback `OnAppendCookie` that sets `HttpOnly` to true
not exists(OnAppendCookieHttpOnlyTrackingConfig config | config.hasFlowTo(_)) and
// Passed as third argument to `IResponseCookies.Append`
exists(
CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
DataFlow::Node append
|
cookieTracking.hasFlow(creation, append) and
exists(DataFlow::Node creation, DataFlow::Node append |
CookieOptionsTracking::flow(creation, append) and
creation.asExpr() = oc and
append.asExpr() = mc.getArgument(2)
)
@@ -79,8 +76,8 @@ where
oc = c and
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
not isPropertySet(oc, "HttpOnly") and
exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
cookieTracking.hasFlow(creation, _) and
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
)
)

8
csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
View File

@@ -37,8 +37,8 @@ where
oc = c and
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
not isPropertySet(oc, "Secure") and
exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
cookieTracking.hasFlow(creation, _) and
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
)
)
@@ -82,8 +82,8 @@ where
// there is no callback `OnAppendCookie` that sets `Secure` to true
not exists(OnAppendCookieSecureTrackingConfig config | config.hasFlowTo(_)) and
// the cookie option is passed to `Append`
exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
cookieTracking.hasFlow(creation, _) and
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
)
)

27
csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll
View File

@@ -40,9 +40,11 @@ private class AuthCookieNameConfiguration extends DataFlow::Configuration {
}
/**
* DEPRECATED: Use `CookieOptionsTracking` instead.
*
* Tracks creation of `CookieOptions` to `IResponseCookies.Append(String, String, CookieOptions)` call as a third parameter.
*/
class CookieOptionsTrackingConfiguration extends DataFlow::Configuration {
deprecated class CookieOptionsTrackingConfiguration extends DataFlow::Configuration {
CookieOptionsTrackingConfiguration() { this = "CookieOptionsTrackingConfiguration" }
override predicate isSource(DataFlow::Node source) {
@@ -57,6 +59,29 @@ class CookieOptionsTrackingConfiguration extends DataFlow::Configuration {
}
}
/**
* Configuration module tracking creation of `CookieOptions` to `IResponseCookies.Append(String, String, CookieOptions)`
* calls as a third parameter.
*/
private module CookieOptionsTrackingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.asExpr().(ObjectCreation).getType() instanceof MicrosoftAspNetCoreHttpCookieOptions
}
predicate isSink(DataFlow::Node sink) {
exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
iResponse.getAppendMethod() = mc.getTarget() and
mc.getArgument(2) = sink.asExpr()
)
}
}
/**
* Tracking creation of `CookieOptions` to `IResponseCookies.Append(String, String, CookieOptions)`
* calls as a third parameter.
*/
module CookieOptionsTracking = DataFlow::Global<CookieOptionsTrackingConfig>;
/**
* Looks for property value of `CookiePolicyOptions` passed to `app.UseCookiePolicy` in `Startup.Configure`.
*/