Add InsecureCookieQuery

2026-05-02 12:15:17 +02:00 · 2023-04-03 17:26:58 -04:00
parent be24b29e7a
commit b39d5088de
3 changed files with 44 additions and 36 deletions
--- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
+++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -5,4 +5,5 @@ category: minorAnalysis
 * Added the `XPathInjectionQuery.qll` library to provide the `XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
 * Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
 * Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
-* Added the `ExternallyControlledFormatStringLocalQuery.qll` library to provide the `ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow.
+* Added the `ExternallyControlledFormatStringLocalQuery.qll` library to provide the `ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow.
+* Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
--- a/java/ql/lib/semmle/code/java/security/InsecureCookieQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsecureCookieQuery.qll
@@ -0,0 +1,41 @@
+/** Provides a dataflow configuration to reason about the failure to use secure cookies. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.frameworks.Servlets
+
+private predicate isSafeSecureCookieSetting(Expr e) {
+  e.(CompileTimeConstantExpr).getBooleanValue() = true
+  or
+  exists(Method isSecure |
+    isSecure.hasName("isSecure") and
+    isSecure.getDeclaringType().getASourceSupertype*() instanceof ServletRequest
+  |
+    e.(MethodAccess).getMethod() = isSecure
+  )
+}
+
+/** A dataflow configuration to reason about the failure to use secure cookies. */
+module SecureCookieConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      m.getDeclaringType() instanceof TypeCookie and
+      m.getName() = "setSecure" and
+      source.asExpr() = ma.getQualifier() and
+      forex(DataFlow::Node argSource |
+        DataFlow::localFlow(argSource, DataFlow::exprNode(ma.getArgument(0))) and
+        not DataFlow::localFlowStep(_, argSource)
+      |
+        isSafeSecureCookieSetting(argSource.asExpr())
+      )
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodAccess add | add.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
+  }
+}
+
+/** Data flow to reason about the failure to use secure cookies. */
+module SecureCookieFlow = DataFlow::Global<SecureCookieConfig>;
--- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
@@ -13,41 +13,7 @@

 import java
 import semmle.code.java.frameworks.Servlets
-import semmle.code.java.dataflow.DataFlow
-
-predicate isSafeSecureCookieSetting(Expr e) {
-  e.(CompileTimeConstantExpr).getBooleanValue() = true
-  or
-  exists(Method isSecure |
-    isSecure.getName() = "isSecure" and
-    isSecure.getDeclaringType().getASourceSupertype*() instanceof ServletRequest
-  |
-    e.(MethodAccess).getMethod() = isSecure
-  )
-}
-
-module SecureCookieConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    exists(MethodAccess ma, Method m | ma.getMethod() = m |
-      m.getDeclaringType() instanceof TypeCookie and
-      m.getName() = "setSecure" and
-      source.asExpr() = ma.getQualifier() and
-      forex(DataFlow::Node argSource |
-        DataFlow::localFlow(argSource, DataFlow::exprNode(ma.getArgument(0))) and
-        not DataFlow::localFlowStep(_, argSource)
-      |
-        isSafeSecureCookieSetting(argSource.asExpr())
-      )
-    )
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() =
-      any(MethodAccess add | add.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
-  }
-}
-
-module SecureCookieFlow = DataFlow::Global<SecureCookieConfig>;
+import semmle.code.java.security.InsecureCookieQuery

 from MethodAccess add
 where