Add qhelp & fix tests

2025-12-16 16:53:25 +01:00 · 2025-11-09 23:50:29 +00:00
parent 2b1cd846b3
commit fa30041498
6 changed files with 119 additions and 7 deletions
--- a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
+++ b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies without the <code>HttpOnly</code> flag set are accessible to client-side scripts such as JavaScript running in the same origin. 
+In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
+If a sensitive cookie does not need to be accessed directly by client-side JS, the <code>HttpOnly</code> flag should be set.</p>
+</overview>
+
+<recommendation>
+<p>
+Set the <code>HttpOnly</code> flag to <code>true</code> for authentication cookies to ensure they are not accessible to client-side scripts.
+</p> 
+</recommendation>
+
+<example>
+<p>
+In the following example, in the case marked BAD, the <code>HttpOnly</code> flag is not set, so the default value of <code>false</code> is used.
+In the case marked GOOD, the <code>HttpOnly</code> flag is set to <code>true</code>.
+</p>
+<sample src="examples/CookieWithoutHttpOnly.go"/>
+
+
+</example>
+
+<references>
+
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header.</li>
+<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set">Cookie without HttpOnly flag set</a></li>
+
+</references>
+</qhelp>
--- a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql
@@ -1,9 +1,7 @@
 /**
- * @name 'HttpOnly' attribute is not set to true
- * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
- *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
- *              'HttpOnly' to 'true' to authentication related cookie to make it
- *              not accessible by JavaScript.
+ * @name Cookie 'HttpOnly' attribute is not set to true
+ * @description Sensitive cookies without the `HttpOnly` property set are accessible by client-side scripts such as JavaScript.
+ *              This makes them more vulnerable to being stolen by an XSS attack.
 * @kind path-problem
 * @problem.severity warning
 * @precision high
--- a/go/ql/src/Security/CWE-1004/examples/CookieWithoutHttpOnly.go
+++ b/go/ql/src/Security/CWE-1004/examples/CookieWithoutHttpOnly.go
@@ -0,0 +1,22 @@
+package main
+
+import (
+	"net/http"
+)
+
+func handlerBad(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:     "session",
+		Value:    "secret",
+	}
+	http.SetCookie(w, &c) // BAD: The HttpOnly flag is set to false by default.
+}
+
+func handlerGood(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:     "session",
+		Value:    "secret",
+		HttpOnly: true,
+	}
+	http.SetCookie(w, &c) // GOOD: The HttpOnly flag is set to true.
+}
--- a/go/ql/src/Security/CWE-614/CookieWithoutSecure.qhelp
+++ b/go/ql/src/Security/CWE-614/CookieWithoutSecure.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies without the <code>Secure</code> flag set may be transmitted using HTTP instead of HTTPS.
+This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session
+key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.</p>
+</overview>
+
+<recommendation>
+<p>
+Set the <code>Secure</code> flag to <code>true</code> to ensure cookies are only transmitted over secure HTTPS connections.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the following example, in the case marked BAD, the <code>Secure</code> flag is set to <code>false</code> by default.
+In the case marked GOOD, the <code>Secure</code> flag is set to <code>true</code>.
+</p>
+<sample src="examples/CookieWithoutSecure.go"/>
+
+
+</example>
+
+<references>
+
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header.</li>
+<li>Detectify: <a href="https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag">Cookie lack Secure flag</a>.</li>
+<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set">TLS cookie without secure flag set</a>.</li>
+
+</references>
+</qhelp>
--- a/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql
+++ b/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql
@@ -1,6 +1,7 @@
 /**
- * @name 'Secure' attribute is not set to true
- * @description todo
+ * @name Cookie 'Secure' attribute is not set to true
+ * @description Cookies without the `Secure` flag may be sent in cleartext.
+ *              This makes them vulnerable to be intercepted by an attacker.
 * @kind problem
 * @problem.severity warning
 * @precision high
--- a/go/ql/src/Security/CWE-614/examples/CookieWithoutSecure.go
+++ b/go/ql/src/Security/CWE-614/examples/CookieWithoutSecure.go
@@ -0,0 +1,22 @@
+package main
+
+import (
+	"net/http"
+)
+
+func handlerBad(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:     "session",
+		Value:    "secret",
+	}
+	http.SetCookie(w, &c) // BAD: The Secure flag is set to false by default.
+}
+
+func handlerGood(w http.ResponseWriter, r *http.Request) {
+	c := http.Cookie{
+		Name:     "session",
+		Value:    "secret",
+		Secure: true,
+	}
+	http.SetCookie(w, &c) // GOOD: The Secure flag is set to true.
+}