Address reviews - update comments, remove unneeded stubs

2025-12-16 16:53:25 +01:00 · 2025-11-19 06:01:30 +00:00
parent c6110ed541
commit c7b16a043e
7 changed files with 6 additions and 162 deletions
--- a/go/ql/lib/semmle/go/concepts/HTTP.qll
+++ b/go/ql/lib/semmle/go/concepts/HTTP.qll
@@ -427,10 +427,10 @@ module Http {
  /** Provides a class for modeling the new APIs for writes to options of an HTTP cookie. */
  module CookieOptionWrite {
    /**
-     * A write to an HTTP cookie object.
+     * A write to an option of an HTTP cookie object.
     *
     * Extend this class to model new APIs. If you want to refine existing API models,
-     * extend `HTTP::CookieOptions` instead.
+     * extend `HTTP::CookieOptionWrite` instead.
     */
    abstract class Range extends DataFlow::Node {
      /** Gets the node representing the cookie object for the options being set. */
@@ -451,10 +451,10 @@ module Http {
  }

  /**
-   * A write to an HTTP cookie object.
+   * A write to an option of an HTTP cookie object.
   *
   * Extend this class to refine existing API models. If you want to model new APIs,
-   * extend `HTTP::CookieOptions::Range` instead.
+   * extend `HTTP::CookieOptionWrite::Range` instead.
   */
  class CookieOptionWrite extends DataFlow::Node instanceof CookieOptionWrite::Range {
    /** Gets the node representing the cookie object for the options being set. */
--- a/go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll
+++ b/go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll
@@ -48,7 +48,7 @@ module BooleanCookieHttpOnlyFlow = TaintTracking::Global<BooleanCookieHttpOnlyCo

 /** Holds if `cw` has the `HttpOnly` attribute left at its default value of `false`. */
 predicate isNonHttpOnlyDefault(Http::CookieWrite cw) {
-  not BooleanCookieHttpOnlyFlow::flow(_, cw.getHttpOnly())
+  not BooleanCookieHttpOnlyFlow::flowTo(cw.getHttpOnly())
 }

 /** Holds if `cw` has the `HttpOnly` attribute explicitly set to `false`, from the expression `boolFalse`. */
--- a/go/ql/lib/semmle/go/security/CookieWithoutSecure.qll
+++ b/go/ql/lib/semmle/go/security/CookieWithoutSecure.qll
@@ -21,7 +21,7 @@ module BooleanCookieSecureFlow = TaintTracking::Global<BooleanCookieSecureConfig

 /** Holds if `cw` has the `Secure` attribute left at its default value of `false`. */
 predicate isInsecureDefault(Http::CookieWrite cw) {
-  not BooleanCookieSecureFlow::flow(_, cw.getSecure())
+  not BooleanCookieSecureFlow::flowTo(cw.getSecure())
 }

 /** Holds if `cw` has the `Secure` attribute explicitly set to `false`, from the expression `boolFalse`. */
--- a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go
+++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go
@@ -1,75 +0,0 @@
-// Code generated by depstubber. DO NOT EDIT.
-// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
-
-// See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
-
-// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
-package sessions
-
-import (
-	http "net/http"
-)
-
-type CookieStore struct {
-	Codecs  []interface{}
-	Options *Options
-}
-
-func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) MaxAge(_ int) {}
-
-func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
-	return nil
-}
-
-func NewCookieStore(_ ...[]byte) *CookieStore {
-	return nil
-}
-
-type Options struct {
-	Path     string
-	Domain   string
-	MaxAge   int
-	Secure   bool
-	HttpOnly bool
-	SameSite http.SameSite
-}
-
-type Session struct {
-	ID      string
-	Values  map[interface{}]interface{}
-	Options *Options
-	IsNew   bool
-}
-
-func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
-
-func (_ *Session) Flashes(_ ...string) []interface{} {
-	return nil
-}
-
-func (_ *Session) Name() string {
-	return ""
-}
-
-func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
-	return nil
-}
-
-func (_ *Session) Store() Store {
-	return nil
-}
-
-type Store interface {
-	Get(_ *http.Request, _ string) (*Session, error)
-	New(_ *http.Request, _ string) (*Session, error)
-	Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
-}
--- a/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt
@@ -1,6 +1,3 @@
 # github.com/gin-gonic/gin v1.7.1
 ## explicit
 github.com/gin-gonic/gin
-# github.com/gorilla/sessions v1.2.1
-## explicit
-github.com/gorilla/sessions
--- a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go
+++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go
@@ -1,75 +0,0 @@
-// Code generated by depstubber. DO NOT EDIT.
-// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
-
-// See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
-
-// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
-package sessions
-
-import (
-	http "net/http"
-)
-
-type CookieStore struct {
-	Codecs  []interface{}
-	Options *Options
-}
-
-func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) MaxAge(_ int) {}
-
-func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
-	return nil
-}
-
-func NewCookieStore(_ ...[]byte) *CookieStore {
-	return nil
-}
-
-type Options struct {
-	Path     string
-	Domain   string
-	MaxAge   int
-	Secure   bool
-	HttpOnly bool
-	SameSite http.SameSite
-}
-
-type Session struct {
-	ID      string
-	Values  map[interface{}]interface{}
-	Options *Options
-	IsNew   bool
-}
-
-func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
-
-func (_ *Session) Flashes(_ ...string) []interface{} {
-	return nil
-}
-
-func (_ *Session) Name() string {
-	return ""
-}
-
-func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
-	return nil
-}
-
-func (_ *Session) Store() Store {
-	return nil
-}
-
-type Store interface {
-	Get(_ *http.Request, _ string) (*Session, error)
-	New(_ *http.Request, _ string) (*Session, error)
-	Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
-}
--- a/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt
@@ -1,6 +1,3 @@
 # github.com/gin-gonic/gin v1.7.1
 ## explicit
 github.com/gin-gonic/gin
-# github.com/gorilla/sessions v1.2.1
-## explicit
-github.com/gorilla/sessions