update tests so it's clear which cookies are insecure

erik-krogh · erik-krogh · commit 1e1e54984717 · 2021-10-26T13:46:58.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-614/ClearTextCookie.expected b/javascript/ql/test/query-tests/Security/CWE-614/ClearTextCookie.expected
@@ -2,14 +2,14 @@
 | tst-cleartextCookie.js:20:5:20:43 | res.coo ... ptions) | Sensitive cookie sent without enforcing SSL encryption |
 | tst-cleartextCookie.js:35:1:35:52 | js_cook ... alse }) | Sensitive cookie sent without enforcing SSL encryption |
 | tst-cleartextCookie.js:44:37:44:51 | "authKey=ninja" | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:64:38:64:52 | "authKey=ninja" | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:94:60:94:72 | "authKey=foo" | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:104:9:107:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:109:9:112:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:114:9:117:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:124:9:124:21 | session(sess) | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:148:9:156:2 | session ... Date\\n}) | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:160:33:160:58 | `authKe ... key()}` | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:173:5:173:19 | document.cookie | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:177:5:177:41 | cookies ... hkey()) | Sensitive cookie sent without enforcing SSL encryption |
-| tst-cleartextCookie.js:182:5:182:46 | cookie. ... hkey()) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:64:13:64:27 | "authKey=ninja" | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:97:13:97:25 | "authKey=foo" | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:108:9:111:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:113:9:116:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:118:9:121:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:128:9:128:21 | session(sess) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:152:9:160:2 | session ... Date\\n}) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:164:33:164:58 | `authKe ... key()}` | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:177:5:177:19 | document.cookie | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:181:5:181:41 | cookies ... hkey()) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:186:5:186:46 | cookie. ... hkey()) | Sensitive cookie sent without enforcing SSL encryption |
diff --git a/javascript/ql/test/query-tests/Security/CWE-614/tst-cleartextCookie.js b/javascript/ql/test/query-tests/Security/CWE-614/tst-cleartextCookie.js
@@ -60,8 +60,10 @@ function test2() {
 function test3() {
     const server = http.createServer((req, res) => {
         res.setHeader('Content-Type', 'text/html');
-        // BAD (and good, TODO: Move to separate lines)
-        res.setHeader("Set-Cookie", ["authKey=ninja", "language=javascript"]);
+        res.setHeader("Set-Cookie", [
+            "authKey=ninja", // NOT OK
+            "language=javascript" // OK
+            ]);
         res.writeHead(200, { 'Content-Type': 'text/plain' });
         res.end('ok');
     });
@@ -90,8 +92,10 @@ function test5() {
 function test6() {
     const server = http.createServer((req, res) => {
         res.setHeader('Content-Type', 'text/html');
-        // BAD (and good. TODO: Move to separate lines)
-        res.setHeader("Set-Cookie", ["type=ninja; secure", "authKey=foo"]);
+        res.setHeader("Set-Cookie", [
+            "type=ninja; secure", // OK 
+            "authKey=foo" // NOT OK
+        ]);
         res.writeHead(200, { 'Content-Type': 'text/plain' });
         res.end('ok');
     });
