Promote insecure cookie query

joefarebrother · joefarebrother · commit 033dd9f8a6a8 · 2024-07-23T10:14:22.000+01:00
diff --git a/python/ql/src/Security/CWE-614/InsecureCookie.ql b/python/ql/src/Security/CWE-614/InsecureCookie.ql
@@ -0,0 +1,49 @@
+/**
+ * @name Failure to use secure cookies
+ * @description Insecure cookies may be sent in cleartext, which makes them vulnerable to
+ *              interception.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 5.0
+ * @precision high
+ * @id py/insecure-cookie
+ * @tags security
+ *       external/cwe/cwe-614
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.Concepts
+
+predicate hasProblem(Http::Server::CookieWrite cookie, string alert, int idx) {
+  cookie.hasSecureFlag(false) and
+  alert = "Secure" and
+  idx = 0
+  or
+  cookie.hasHttpOnlyFlag(false) and
+  alert = "HttpOnly" and
+  idx = 1
+  or
+  cookie.hasSameSiteFlag(false) and
+  alert = "SameSite" and
+  idx = 2
+}
+
+predicate hasAlert(Http::Server::CookieWrite cookie, string alert) {
+  exists(int numProblems | numProblems = strictcount(string p | hasProblem(cookie, p, _)) |
+    numProblems = 1 and
+    alert = any(string prob | hasProblem(cookie, prob, _)) + " attribute"
+    or
+    numProblems = 2 and
+    alert =
+      strictconcat(string prob, int idx | hasProblem(cookie, prob, idx) | " and ", prob order by idx)
+        + " attributes"
+    or
+    numProblems = 3 and
+    alert = "Secure, HttpOnly, and SameSite attributes"
+  )
+}
+
+from Http::Server::CookieWrite cookie, string alert
+where hasAlert(cookie, alert)
+select cookie, "Cookie is added without the " + alert + " properly set."
