From b813c13462e9279d7051c59e707ee3c54bf11e97 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Wed, 29 Oct 2025 10:53:00 +0000
Subject: [PATCH] Restrict sinks to fix performance

---
 .../code/csharp/security/auth/SecureCookies.qll       | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
index a34191a7086..56b6294949b 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
@@ -3,6 +3,7 @@
  */
 
 import csharp
+private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
 
 /**
@@ -32,7 +33,15 @@ private module AuthCookieNameConfig implements DataFlow::ConfigSig {
 
   predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) }
 
-  predicate isSink(DataFlow::Node sink) { exists(Call c | sink.asExpr() = c.getAnArgument()) }
+  predicate isSink(DataFlow::Node sink) {
+    exists(Call c |
+      sink.asExpr() = c.getAnArgument() and
+      (
+        c.getTarget() = any(MicrosoftAspNetCoreHttpResponseCookies cls).getAppendMethod() or
+        c.(ObjectCreation).getType() instanceof SystemWebHttpCookie
+      )
+    )
+  }
 }
 
 /**