Promoto cookie injection query

joefarebrother · joefarebrother · commit 123214cb2b49 · 2024-07-16T16:49:56.000+01:00
diff --git a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionCustomizations.qll
@@ -0,0 +1,48 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "cookie injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "cookie injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module CookieInjection {
+  /**
+   * A data flow source for "cookie injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "cookie injection" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "cookie injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A write to a cookie, considered as a sink.
+   */
+  class CookieWriteSink extends Sink {
+    CookieWriteSink() {
+      exists(Http::Server::CookieWrite cw |
+        this = [cw.getNameArg(), cw.getValueArg(), cw.getHeaderArg()]
+      )
+    }
+  }
+}
diff --git a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll
@@ -0,0 +1,26 @@
+/**
+ * Provides a taint-tracking configuration for detecting "cookie injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CookieInjectionFlow` is needed, otherwise
+ * `CookieInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import CookieInjectionCustomizations::CookieInjection
+
+/**
+ * A taint-tracking configuration for detecting "cookie injection" vulnerabilities.
+ */
+module CookieInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "cookie injection" vulnerabilities. */
+module CookieInjectionFlow = TaintTracking::Global<CookieInjectionConfig>;
diff --git a/python/ql/src/Security/CWE-614/CookieInjection.ql b/python/ql/src/Security/CWE-614/CookieInjection.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Construction of a cookie using user-supplied input.
+ * @description Constructing cookies from user input may allow an attacker to perform a Cookie Poisoning attack.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id py/cookie-injection
+ * @tags security
+ *       external/cwe/cwe-614
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.security.dataflow.CookieInjectionQuery
+import CookieInjectionFlow::PathGraph
+
+from CookieInjectionFlow::PathNode source, CookieInjectionFlow::PathNode sink
+where CookieInjectionFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "Cookie is constructed from a $@.", source.getNode(),
+  "user-supplied input"
