Support string expressions

javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected

@@ -8,6 +8,7 @@
 | test_httpserver.js:7:37:7:48 | "auth=ninja" | Cookie attribute 'HttpOnly' is not set to true. |
 | test_httpserver.js:27:37:27:70 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true. |
 | test_httpserver.js:57:37:57:80 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true. |
+| test_httpserver.js:87:37:87:59 | `sessio ... {attr}` | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:15:5:20:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:25:5:28:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:48:5:48:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |

javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js

@@ -68,4 +68,24 @@ function test7() {
         res.writeHead(200, { 'Content-Type': 'text/plain' });
         res.end('ok');
     });
+}
+
+function test8() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        let attr = "; httponly"
+        res.setHeader("Set-Cookie", `session=ninja ${attr}`); // Good, httponly string expression
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test9() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        let attr = "; secure"
+        res.setHeader("Set-Cookie", `session=ninja ${attr}`); // Bad, not httponly string expression
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
 }