Insecure cookie query: accept ServletRequest.isSecure(), and allow more than one possible input to a setSecure(...) call.

2026-04-30 19:26:02 +02:00 · 2022-05-11 11:59:37 +01:00
parent 1af0e9b619
commit c17ef42cc7
3 changed files with 87 additions and 7 deletions
--- a/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/InsecureCookie.expected
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/InsecureCookie.expected
@@ -1 +1,4 @@
-| Test.java:16:4:16:29 | addCookie(...) | Cookie is added to response without the 'secure' flag being set. |
+| Test.java:19:4:19:29 | addCookie(...) | Cookie is added to response without the 'secure' flag being set. |
+| Test.java:28:4:28:29 | addCookie(...) | Cookie is added to response without the 'secure' flag being set. |
+| Test.java:37:4:37:29 | addCookie(...) | Cookie is added to response without the 'secure' flag being set. |
+| Test.java:51:4:51:29 | addCookie(...) | Cookie is added to response without the 'secure' flag being set. |
--- a/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/Test.java
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/Test.java
@@ -8,21 +8,81 @@ package test.cwe614.semmle.tests;
 import javax.servlet.http.*;

 class Test {
-	public static void test(HttpServletRequest request, HttpServletResponse response) {
+
+	public static final boolean constTrue = true;
+
+	public static void test(HttpServletRequest request, HttpServletResponse response, boolean alwaysSecure, boolean otherInput) {
 		{
 			Cookie cookie = new Cookie("secret" ,"fakesecret");
-			
+
 			// BAD: secure flag not set
 			response.addCookie(cookie);
-			
+
 		}
-		
+
 		{
 			Cookie cookie = new Cookie("secret" ,"fakesecret");
-			
+
+			// BAD: secure flag set to false
+			cookie.setSecure(false);
+			response.addCookie(cookie);
+
+		}
+
+		{
+			Cookie cookie = new Cookie("secret" ,"fakesecret");
+
+			// BAD: secure flag set to something not clearly true or request.isSecure()
+			cookie.setSecure(otherInput);
+			response.addCookie(cookie);
+
+		}
+
+		{
+			Cookie cookie = new Cookie("secret" ,"fakesecret");
+
+			// BAD: secure flag sometimes set to something clearly true or request.isSecure()
+			boolean secureVal;
+			if(alwaysSecure)
+				secureVal = true;
+			else
+				secureVal = otherInput;
+			cookie.setSecure(secureVal);
+			response.addCookie(cookie);
+
+		}
+
+		{
+			Cookie cookie = new Cookie("secret" ,"fakesecret");
+
 			// GOOD: set secure flag
 			cookie.setSecure(true);
 			response.addCookie(cookie);
 		}
+
+		{
+			Cookie cookie = new Cookie("secret" ,"fakesecret");
+
+			// GOOD: set secure flag
+			cookie.setSecure(true);
+			response.addCookie(cookie);
+		}
+
+		{
+			Cookie cookie = new Cookie("secret" ,"fakesecret");
+
+			// GOOD: set secure flag
+			cookie.setSecure(constTrue);
+			response.addCookie(cookie);
+		}
+
+		{
+			Cookie cookie = new Cookie("secret" ,"fakesecret");
+
+			// GOOD: set secure flag if contacted over HTTPS
+			cookie.setSecure(alwaysSecure ? true : request.isSecure());
+			response.addCookie(cookie);
+		}
+
 	}
 }