Merge pull request #7721 from erik-krogh/CWE-1275

JS: add a js/samesite-none-cookie cookie

javascript/ql/src/Security/CWE-1004/ClientExposedCookie.qhelp

@@ -23,12 +23,12 @@ Set the <code>httpOnly</code> flag on all cookies that are not needed by the cli
 The following example stores an authentication token in a cookie that can 
 be viewed by the client.
 </p>
-<sample src="examples/ClientExposedCookieGood.js"/>
+<sample src="examples/ClientExposedCookieBad.js"/>
 <p>
 To force the cookie to be transmitted using SSL, set the <code>secure</code>
 attribute on the cookie.
 </p>
-<sample src="examples/ClientExposedCookieBad.js"/>
+<sample src="examples/ClientExposedCookieGood.js"/>
 </example>
 
 <references>

javascript/ql/src/Security/CWE-1275/SameSiteNoneCookie.qhelp

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Authentication cookies where the SameSite attribute is set to "None" can 
+potentially be used to perform Cross-Site Request Forgery (CSRF) attacks 
+if no other CSRF protections are in place.
+</p>
+<p>
+With SameSite set to "None", a third party website may create an authorized cross-site request
+that includes the cookie.
+Such a cross-site request can allow that website to perform actions on behalf of a user.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Set the <code>SameSite</code> attribute to <code>Strict</code> on all sensitive cookies.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example stores an authentication token in a cookie where the <code>SameSite</code>
+attribute is set to <code>None</code>.
+</p>
+<sample src="examples/SameSiteCookieBad.js"/>
+<p>
+To prevent the cookie from being included in cross-site requests, set the <code>SameSite</code>
+attribute to <code>Strict</code>.
+</p>
+<sample src="examples/SameSiteCookieGood.js"/>
+</example>
+
+<references>
+<li>MDN Web Docs: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite">SameSite cookies</a>.</li>
+<li>OWASP: <a href="https://owasp.org/www-community/SameSite">SameSite</a>.</li>
+</references>
+
+</qhelp>

javascript/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Sensitive cookie without SameSite restrictions
+ * @description Sensitive cookies where the SameSite attribute is set to "None" can
+ *              in some cases allow for Cross-Site Request Forgery (CSRF) attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision medium
+ * @id js/samesite-none-cookie
+ * @tags security
+ *       external/cwe/cwe-1275
+ */
+
+import javascript
+
+from CookieWrites::CookieWrite cookie
+where
+  cookie.isSensitive() and
+  cookie.isSecure() and // `js/clear-text-cookie` will report it if the cookie is not secure.
+  cookie.getSameSite().toLowerCase() = "none"
+select cookie, "Sensitive cookie with SameSite set to 'None'"

javascript/ql/src/Security/CWE-1275/examples/SameSiteCookieBad.js

@@ -0,0 +1,7 @@
+const http = require('http');
+
+const server = http.createServer((req, res) => {
+    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end('<h2>Hello world</h2>');
+});

javascript/ql/src/Security/CWE-1275/examples/SameSiteCookieGood.js

@@ -0,0 +1,7 @@
+const http = require('http');
+
+const server = http.createServer((req, res) => {
+    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end('<h2>Hello world</h2>');
+});

javascript/ql/src/change-notes/2022-01-24-samesite-cookie.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* A new query `js/samesite-none-cookie` has been added. The query detects when the SameSite attribute is set to None on a sensitive cookie.