documentation overhaul for clear-text-cookie

javascript/ql/test/query-tests/Security/CWE-614/ClearTextCookie.expected

@@ -0,0 +1,12 @@
+| tst-cleartextCookie.js:5:5:10:10 | res.coo ...      }) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:20:5:20:43 | res.coo ... ptions) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:35:1:35:52 | js_cook ... alse }) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:44:37:44:51 | "authKey=ninja" | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:64:38:64:52 | "authKey=ninja" | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:94:60:94:72 | "authKey=foo" | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:104:9:107:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:109:9:112:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:114:9:117:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:124:9:124:21 | session(sess) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:148:9:156:2 | session ... Date\\n}) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:160:33:160:58 | `authKe ... key()}` | Sensitive cookie sent without enforcing SSL encryption |

javascript/ql/test/query-tests/Security/CWE-614/ClearTextCookie.qlref

@@ -0,0 +1 @@
+Security/CWE-614/ClearTextCookie.ql

javascript/ql/test/query-tests/Security/CWE-614/InsecureCookies.expected

@@ -1,11 +0,0 @@
-| tst-cleartextCookie.js:5:5:10:10 | res.coo ...      }) | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:20:5:20:43 | res.coo ... ptions) | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:35:1:35:52 | js_cook ... alse }) | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:44:37:44:51 | "authKey=ninja" | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:64:38:64:52 | "authKey=ninja" | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:94:60:94:72 | "authKey=foo" | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:104:9:107:2 | session ... T OK\\n}) | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:109:9:112:2 | session ... T OK\\n}) | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:114:9:117:2 | session ... T OK\\n}) | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:124:9:124:21 | session(sess) | Cookie is added to response without the 'secure' flag being set to true |
-| tst-cleartextCookie.js:148:9:156:2 | session ... Date\\n}) | Cookie is added to response without the 'secure' flag being set to true |

javascript/ql/test/query-tests/Security/CWE-614/InsecureCookies.qlref

@@ -1 +0,0 @@
-Security/CWE-614/InsecureCookie.ql

javascript/ql/test/query-tests/Security/CWE-614/tst-cleartextCookie.js

@@ -154,3 +154,16 @@ app.use(session({
     path: 'foo/bar',
     expires: expiryDate
 }))
+
+http.createServer((req, res) => {
+    res.setHeader('Content-Type', 'text/html');
+    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}`); // NOT OK
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end('ok');
+});
+
+http.createServer((req, res) => {
+    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly`); // OK
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end('<h2>Hello world</h2>');
+});