Code review

2026-01-29 14:23:03 +01:00 · 2021-04-27 20:16:50 +03:00
parent cbaad2efb9
commit ff06815db1
2 changed files with 27 additions and 28 deletions
--- a/ql/src/experimental/CWE-1004/AuthCookie.qll
+++ b/ql/src/experimental/CWE-1004/AuthCookie.qll
@@ -10,21 +10,14 @@ import go
 * This should cover most typical patterns...
 */
 DataFlow::Node getValueForFieldWrite(StructLit sl, string field) {
-  exists(Write w, DataFlow::Node base, Field f, DataFlow::Node rhs |
+  exists(Write w, DataFlow::Node base, Field f |
    f.getName() = field and
-    w.writesField(base, f, rhs) and
-    result = rhs and
+    w.writesField(base, f, result) and
    (
      sl = base.asExpr()
      or
-      exists(VariableName vn |
-        vn = base.asExpr() and
-        exists(DataFlow::Node creation |
-          DataFlow::localFlow(creation, base) and
-          creation.asExpr() = sl and
-          base.asExpr() = vn
-        )
-      )
+      base.asExpr() instanceof VariableName and
+      base.getAPredecessor*().asExpr() = sl
    )
  )
 }
@@ -44,10 +37,7 @@ class HttpOnlyCookieTrackingConfiguration extends TaintTracking::Configuration {
        or
        exists(DataFlow::Node rhs |
          rhs = getValueForFieldWrite(sl, "HttpOnly") and
-          exists(DataFlow::Node valSrc |
-            DataFlow::localFlow(valSrc, rhs) and
-            valSrc.asExpr().getBoolValue() = false
-          )
+          rhs.getAPredecessor*().asExpr().getBoolValue() = false
        )
      )
    )
@@ -94,10 +84,7 @@ class AuthCookieNameConfiguration extends TaintTracking::Configuration {
      sl.getType().hasQualifiedName("net/http", "Cookie") and
      exists(DataFlow::Node rhs |
        rhs = getValueForFieldWrite(sl, "Name") and
-        exists(DataFlow::Node valSrc |
-          DataFlow::localFlow(valSrc, rhs) and
-          isAuthVariable(valSrc.asExpr())
-        )
+        isAuthVariable(rhs.getAPredecessor*().asExpr())
      )
    )
  }
@@ -157,8 +144,7 @@ class SessionOptionsTrackingConfiguration extends TaintTracking::Configuration {
  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    exists(Field f, DataFlow::Write w, DataFlow::Node base |
      f.getQualifiedName() = "github.com/gorilla/sessions.Session.Options" and
-      w.writesField(base, f, _) and
-      pred = w.getRhs() and
+      w.writesField(base, f, pred) and
      succ = base
    )
  }
--- a/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
@@ -15,14 +15,18 @@
 import go
 import AuthCookie

-from Expr expr
-where
-  exists(SetCookieSink sink, DataFlow::Node source |
-    exists(HttpOnlyCookieTrackingConfiguration httpOnlyCfg | httpOnlyCfg.hasFlow(source, sink)) and
-    exists(AuthCookieNameConfiguration cookieNameCfg | cookieNameCfg.hasFlow(source, sink)) and
+predicate isNetHttpCookieFlow(Expr expr) {
+  exists(
+    HttpOnlyCookieTrackingConfiguration httpOnlyCfg, AuthCookieNameConfiguration cookieNameCfg,
+    SetCookieSink sink, DataFlow::Node source
+  |
+    httpOnlyCfg.hasFlow(source, sink) and
+    cookieNameCfg.hasFlow(source, sink) and
    sink.asExpr() = expr
  )
-  or
+}
+
+predicate isGinContextCookieFlow(Expr expr) {
  exists(CallExpr c |
    c.getTarget().getQualifiedName() = "github.com/gin-gonic/gin.Context.SetCookie" and
    c.getArgument(6) = expr and
@@ -37,7 +41,9 @@ where
      isAuthVariable(nameSrc.asExpr())
    )
  )
-  or
+}
+
+predicate isGorillaSessionsCookieFlow(Expr expr) {
  exists(DataFlow::Node sessionSave |
    sessionSave.asExpr() = expr and
    exists(CookieStoreSaveTrackingConfiguration cfg | cfg.hasFlow(_, sessionSave)) and
@@ -60,4 +66,11 @@ where
      )
    )
  )
+}
+
+from Expr expr
+where
+  isNetHttpCookieFlow(expr) or
+  isGinContextCookieFlow(expr) or
+  isGorillaSessionsCookieFlow(expr)
 select expr, "Cookie attribute 'HttpOnly' is not set to true."