C#: Re-factor CookieOptionsTracking to use the new API.

michaelnebel · michaelnebel · commit a4ee35302dd7 · 2023-04-17T11:38:37.000+02:00
diff --git a/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql b/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
@@ -38,11 +38,8 @@ where
             // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
             not exists(OnAppendCookieHttpOnlyTrackingConfig config | config.hasFlowTo(_)) and
             // Passed as third argument to `IResponseCookies.Append`
-            exists(
-              CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
-              DataFlow::Node append
-            |
-              cookieTracking.hasFlow(creation, append) and
+            exists(DataFlow::Node creation, DataFlow::Node append |
+              CookieOptionsTracking::flow(creation, append) and
               creation.asExpr() = oc and
               append.asExpr() = mc.getArgument(2)
             )
@@ -79,8 +76,8 @@ where
             oc = c and
             oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
             not isPropertySet(oc, "HttpOnly") and
-            exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
-              cookieTracking.hasFlow(creation, _) and
+            exists(DataFlow::Node creation |
+              CookieOptionsTracking::flow(creation, _) and
               creation.asExpr() = oc
             )
           )
diff --git a/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql b/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
@@ -37,8 +37,8 @@ where
           oc = c and
           oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
           not isPropertySet(oc, "Secure") and
-          exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
-            cookieTracking.hasFlow(creation, _) and
+          exists(DataFlow::Node creation |
+            CookieOptionsTracking::flow(creation, _) and
             creation.asExpr() = oc
           )
         )
@@ -82,8 +82,8 @@ where
           // there is no callback `OnAppendCookie` that sets `Secure` to true
           not exists(OnAppendCookieSecureTrackingConfig config | config.hasFlowTo(_)) and
           // the cookie option is passed to `Append`
-          exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
-            cookieTracking.hasFlow(creation, _) and
+          exists(DataFlow::Node creation |
+            CookieOptionsTracking::flow(creation, _) and
             creation.asExpr() = oc
           )
         )
diff --git a/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll b/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll
@@ -40,9 +40,11 @@ private class AuthCookieNameConfiguration extends DataFlow::Configuration {
 }
 
 /**
+ * DEPRECATED: Use `CookieOptionsTracking` instead.
+ *
  * Tracks creation of `CookieOptions` to `IResponseCookies.Append(String, String, CookieOptions)` call as a third parameter.
  */
-class CookieOptionsTrackingConfiguration extends DataFlow::Configuration {
+deprecated class CookieOptionsTrackingConfiguration extends DataFlow::Configuration {
   CookieOptionsTrackingConfiguration() { this = "CookieOptionsTrackingConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -57,6 +59,29 @@ class CookieOptionsTrackingConfiguration extends DataFlow::Configuration {
   }
 }
 
+/**
+ * Configuration module tracking creation of `CookieOptions` to `IResponseCookies.Append(String, String, CookieOptions)`
+ * calls as a third parameter.
+ */
+private module CookieOptionsTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().(ObjectCreation).getType() instanceof MicrosoftAspNetCoreHttpCookieOptions
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
+      iResponse.getAppendMethod() = mc.getTarget() and
+      mc.getArgument(2) = sink.asExpr()
+    )
+  }
+}
+
+/**
+ * Tracking creation of `CookieOptions` to `IResponseCookies.Append(String, String, CookieOptions)`
+ * calls as a third parameter.
+ */
+module CookieOptionsTracking = DataFlow::Global<CookieOptionsTrackingConfig>;
+
 /**
  * Looks for property value of `CookiePolicyOptions` passed to `app.UseCookiePolicy` in `Startup.Configure`.
  */

Original file line number	Diff line number	Diff line change
`@@ -37,8 +37,8 @@ where`
`37`	`37`	`oc = c and`
`38`	`38`	`oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and`
`39`	`39`	`not isPropertySet(oc, "Secure") and`
`40`		`- exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation \|`
`41`		`- cookieTracking.hasFlow(creation, _) and`
	`40`	`+ exists(DataFlow::Node creation \|`
	`41`	`+ CookieOptionsTracking::flow(creation, _) and`
`42`	`42`	`creation.asExpr() = oc`
`43`	`43`	`)`
`44`	`44`	`)`
`@@ -82,8 +82,8 @@ where`
`82`	`82`	// there is no callback `OnAppendCookie` that sets `Secure` to true
`83`	`83`	`not exists(OnAppendCookieSecureTrackingConfig config \| config.hasFlowTo(_)) and`
`84`	`84`	// the cookie option is passed to `Append`
`85`		`- exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation \|`
`86`		`- cookieTracking.hasFlow(creation, _) and`
	`85`	`+ exists(DataFlow::Node creation \|`
	`86`	`+ CookieOptionsTracking::flow(creation, _) and`
`87`	`87`	`creation.asExpr() = oc`
`88`	`88`	`)`
`89`	`89`	`)`