hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add sensitive data heuristic

Browse Source
This commit is contained in:
Joe Farebrother
2025-09-23 10:08:08 +01:00
parent 6eac6b7258
commit d28e8004fd
5 changed files with 25 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
python/ql/lib/semmle/python/Concepts.qll
View File

@@ -12,6 +12,7 @@ private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.Files
private import semmle.python.Frameworks
private import semmle.python.security.internal.EncryptionKeySizes
private import semmle.python.dataflow.new.SensitiveDataSources
private import codeql.threatmodels.ThreatModels
private import codeql.concepts.ConceptsShared
@@ -1290,6 +1291,18 @@ module Http {
*/
DataFlow::Node getValueArg() { result = super.getValueArg() }
/** Holds if the name of this cookie indicates it may contain sensitive information. */
predicate isSensitive() {
exists(DataFlow::Node name |
name = [this.getNameArg(), this.getHeaderArg()] and
(
name instanceof SensitiveDataSource
or
name = sensitiveLookupStringConst(_)
)
)
}
/**
* Holds if the `Secure` flag of the cookie is known to have a value of `b`.
*/

2
python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll
View File

@@ -334,3 +334,5 @@ private module SensitiveDataModeling {
}
predicate sensitiveDataExtraStepForCalls = SensitiveDataModeling::extraStepForCalls/2;
predicate sensitiveLookupStringConst = SensitiveDataModeling::sensitiveLookupStringConst/1;

3
python/ql/src/Security/CWE-614/InsecureCookie.ql
View File

@@ -16,5 +16,6 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.Concepts
from Http::Server::CookieWrite cookie
where cookie.hasSecureFlag(false)
where cookie.hasSecureFlag(false) //and
//cookie.isSensitive()
select cookie, "Cookie is added without the Secure attribute properly set."

10
python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
View File

@@ -1,7 +1,3 @@
| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:10:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:15:5:15:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:8:5:8:40 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:10:5:10:57 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
| test.py:11:5:11:60 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |

16
python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
View File

@@ -5,14 +5,8 @@ app = Flask(__name__)
@app.route("/test")
def test():
resp = make_response()
resp.set_cookie("key1", "value1") # $Alert[py/insecure-cookie]
resp.set_cookie("key2", "value2", secure=True)
resp.set_cookie("key2", "value2", httponly=True) # $Alert[py/insecure-cookie]
resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/insecure-cookie]
resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/insecure-cookie]
resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/insecure-cookie]
resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") # $Alert[py/insecure-cookie]
resp.set_cookie("key2", "value2", secure=True, samesite="None")
resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/insecure-cookie]
resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
resp.set_cookie("authKey", "value1") # $Alert[py/insecure-cookie]
resp.set_cookie("authKey", "value2", secure=True)
resp.set_cookie("sessionID", "value2", httponly=True) # $Alert[py/insecure-cookie]
resp.set_cookie("password", "value2", samesite="Strict") # $Alert[py/insecure-cookie]
resp.set_cookie("notSensitive", "value3")