mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Add tests for insecure cookie using system.web
This commit is contained in:
Joe Farebrother
@@ -4,28 +4,4 @@ class Program
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
|
||||
}
|
||||
|
||||
void CookieDirectTrue()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName");
|
||||
cookie.Secure = true; // GOOD
|
||||
}
|
||||
|
||||
void CookieDirectTrueInitializer()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
|
||||
}
|
||||
|
||||
void CookieIntermediateTrue()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName");
|
||||
bool v = true;
|
||||
cookie.Secure = v; // GOOD: should track local data flow
|
||||
}
|
||||
|
||||
void CookieIntermediateTrueInitializer()
|
||||
{
|
||||
bool v = true;
|
||||
var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
| Program.cs:5:22:5:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
|
||||
| Program.cs:34:22:34:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
|
||||
| Program.cs:40:22:40:79 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
|
||||
@@ -0,0 +1,2 @@
|
||||
query: Security Features/CWE-614/CookieWithoutSecure.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
@@ -0,0 +1,55 @@
|
||||
class Program
|
||||
{
|
||||
void CookieDefault()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName"); // $Alert // BAD: requireSSL is set to false by default
|
||||
}
|
||||
|
||||
void CookieDirectTrue()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName");
|
||||
cookie.Secure = true; // GOOD
|
||||
}
|
||||
|
||||
void CookieDirectTrueInitializer()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
|
||||
}
|
||||
|
||||
void CookieIntermediateTrue()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName");
|
||||
bool v = true;
|
||||
cookie.Secure = v; // GOOD: should track local data flow
|
||||
}
|
||||
|
||||
void CookieIntermediateTrueInitializer()
|
||||
{
|
||||
bool v = true;
|
||||
var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
|
||||
}
|
||||
|
||||
void CookieDirectFalse()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName"); // $Alert
|
||||
cookie.Secure = false; // BAD
|
||||
}
|
||||
|
||||
void CookieDirectFalseInitializer()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $Alert // BAD
|
||||
}
|
||||
|
||||
void CookieIntermediateFalse()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName"); // $MISSING:Alert
|
||||
bool v = false;
|
||||
cookie.Secure = v; // BAD, but not detected
|
||||
}
|
||||
|
||||
void CookieIntermediateFalseInitializer()
|
||||
{
|
||||
bool v = false;
|
||||
var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $MISSING:Alert // BAD, but not detected
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8" ?>
|
||||
<configuration>
|
||||
<system.web>
|
||||
<httpCookies />
|
||||
</system.web>
|
||||
</configuration>
|
||||
@@ -0,0 +1,3 @@
|
||||
semmle-extractor-options: /nostdlib /noconfig
|
||||
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
|
||||
semmle-extractor-options: ${testdir}/../../../../../../resources/stubs/System.Web.cs
|
||||
@@ -0,0 +1,2 @@
|
||||
query: Security Features/CWE-614/CookieWithoutSecure.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
@@ -0,0 +1,7 @@
|
||||
class Program
|
||||
{
|
||||
void CookieDefault()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
<?xml version="1.0" encoding="utf-8" ?>
|
||||
<configuration>
|
||||
<system.web>
|
||||
<authentication>
|
||||
<forms requireSSL=" True "/>
|
||||
</authentication>
|
||||
<httpCookies />
|
||||
</system.web>
|
||||
</configuration>
|
||||
@@ -0,0 +1,2 @@
|
||||
query: Security Features/CWE-614/CookieWithoutSecure.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
@@ -0,0 +1,7 @@
|
||||
class Program
|
||||
{
|
||||
void CookieDefault()
|
||||
{
|
||||
var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8" ?>
|
||||
<configuration>
|
||||
<system.web>
|
||||
<httpCookies requireSSL="true" />
|
||||
</system.web>
|
||||
</configuration>
|
||||
@@ -0,0 +1,3 @@
|
||||
semmle-extractor-options: /nostdlib /noconfig
|
||||
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
|
||||
semmle-extractor-options: ${testdir}/../../../../../../../resources/stubs/System.Web.cs
|
||||
Reference in New Issue
Block a user