Add documentation

python/ql/src/Security/CWE-614/CookieInjection.qhelp

@@ -0,0 +1,24 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Constructing cookies from user input can allow an attacker to control a user's cookie. Additionally, if the cookie is set using a raw header, cookie attributes such as the <code>Secure</code> flag may be controlled by an attacker.  
+</p>
+</overview>
+
+<recommendation>
+<p>Do not use raw user input to construct cookies.</p>
+</recommendation>
+
+<example>
+<p>In the following cases, a cookie is constructed for a Flask response using user input. The first uses <code>set_cookie</code>,
+and the second sets a cookie's raw value through the <code>set-cookie</code> header.</p>
+<sample src="examples/CookieInjection.py" />
+</example>
+
+<references>
+</references>
+
+</qhelp>

python/ql/src/Security/CWE-614/CookieInjection.ql

@@ -2,8 +2,9 @@
  * @name Construction of a cookie using user-supplied input.
  * @description Constructing cookies from user input may allow an attacker to perform a Cookie Poisoning attack.
  * @kind path-problem
- * @problem.severity error
+ * @problem.severity warning
  * @precision high
+ * @security-severity 5.0
  * @id py/cookie-injection
  * @tags security
  *       external/cwe/cwe-614

python/ql/src/Security/CWE-614/examples/CookieInjection.py

@@ -0,0 +1,16 @@
+from flask import request, make_response
+
+
+@app.route("/1")
+def set_cookie():
+    resp = make_response()
+    resp.set_cookie(request.args["name"], # BAD: User input is used to set the cookie's name and value
+                    value=request.args["name"])
+    return resp
+
+
+@app.route("/2")
+def set_cookie_header():
+    resp = make_response()
+    resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['name']};" # BAD: User input is used to set the raw cookie header.
+    return resp