Use a 3-valued newtype for hasSameSiteAttribute

Author: joefarebrother

python/ql/lib/semmle/python/Concepts.qll

@@ -1215,9 +1215,9 @@ module Http {
       predicate hasHttpOnlyFlag(boolean b) { super.hasHttpOnlyFlag(b) }
 
       /**
-       * Holds if the `SameSite` flag of the cookie is known to have a value of `b`.
+       * Holds if the `SameSite` attribute of the cookie is known to have a value of `v`.
        */
-      predicate hasSameSiteFlag(boolean b) { super.hasSameSiteFlag(b) }
+      predicate hasSameSiteAttribute(CookieWrite::SameSiteValue v) { super.hasSameSiteAttribute(v) }
     }
 
     /** Provides a class for modeling new cookie writes on HTTP responses. */
@@ -1288,33 +1288,63 @@ module Http {
         }
 
         /**
-         * Holds if the `SameSite` flag of the cookie is known to have a value of `b`.
+         * Holds if the `SameSite` flag of the cookie is known to have a value of `v`.
          */
-        // TODO: b could be a newtype with 3 values indicating Strict,Lax,or None
-        // currently, Strict and Lax are represented with true and None is represented with false.
-        predicate hasSameSiteFlag(boolean b) {
+        predicate hasSameSiteAttribute(SameSiteValue v) {
           exists(this.getHeaderArg()) and
           (
             exists(StringLiteral sl |
-              sl.getText().regexpMatch("(?i).*;\\s*samesite=(strict|lax);.*") and
+              sl.getText().regexpMatch("(?i).*;\\s*samesite=strict;.*") and
               TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
-              b = true
+              v instanceof SameSiteStrict
+            )
+            or
+            exists(StringLiteral sl |
+              sl.getText().regexpMatch("(?i).*;\\s*samesite=lax;.*") and
+              TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
+              v instanceof SameSiteLax
             )
             or
             exists(StringLiteral sl |
               sl.getText().regexpMatch("(?i).*;\\s*samesite=none;.*") and
               TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
-              b = false
+              v instanceof SameSiteNone
             )
             or
             exists(StringLiteral sl |
               not sl.getText().regexpMatch("(?i).*;\\s*samesite=(strict|lax|none);.*") and
               DataFlow::localFlow(DataFlow::exprNode(sl), this.getHeaderArg()) and
-              b = true // Lax is the default
+              v instanceof SameSiteLax // Lax is the default
             )
           )
         }
       }
+
+      private newtype TSameSiteValue =
+        TSameSiteStrict() or
+        TSameSiteLax() or
+        TSameSiteNone()
+
+      /** A possible value for the SameSite attribute of a cookie. */
+      class SameSiteValue extends TSameSiteValue {
+        /** Gets a string representation of this value. */
+        string toString() { none() }
+      }
+
+      /** A `Strict` value of the `SameSite` attribute. */
+      class SameSiteStrict extends SameSiteValue, TSameSiteStrict {
+        override string toString() { result = "Strict" }
+      }
+
+      /** A `Lax` value of the `SameSite` attribute. */
+      class SameSiteLax extends SameSiteValue, TSameSiteLax {
+        override string toString() { result = "Lax" }
+      }
+
+      /** A `None` value of the `SameSite` attribute. */
+      class SameSiteNone extends SameSiteValue, TSameSiteNone {
+        override string toString() { result = "None" }
+      }
     }
 
     /** A write to a `Set-Cookie` header that sets a cookie directly. */

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2211,22 +2211,25 @@ module PrivateDjango {
             b = false
           }
 
-          override predicate hasSameSiteFlag(boolean b) {
-            super.hasHttpOnlyFlag(b)
+          override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
+            super.hasSameSiteAttribute(v)
             or
             exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
               DataFlow::localFlow(DataFlow::exprNode(str), arg) and
               (
-                str.getText().toLowerCase() = ["strict", "lax"] and
-                b = true
+                str.getText().toLowerCase() = "strict" and
+                v instanceof Http::Server::CookieWrite::SameSiteStrict
+                or
+                str.getText().toLowerCase() = "strict" and
+                v instanceof Http::Server::CookieWrite::SameSiteLax
                 or
                 str.getText().toLowerCase() = "none" and
-                b = false
+                v instanceof Http::Server::CookieWrite::SameSiteNone
               )
             )
             or
             not exists(this.getArgByName("samesite")) and
-            b = true // Lax is the default
+            v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
           }
         }
 

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -618,22 +618,25 @@ module Flask {
       b = false
     }
 
-    override predicate hasSameSiteFlag(boolean b) {
-      super.hasHttpOnlyFlag(b)
+    override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
+      super.hasSameSiteAttribute(v)
       or
       exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
         DataFlow::localFlow(DataFlow::exprNode(str), arg) and
         (
-          str.getText().toLowerCase() = ["strict", "lax"] and
-          b = true
+          str.getText().toLowerCase() = "strict" and
+          v instanceof Http::Server::CookieWrite::SameSiteStrict
+          or
+          str.getText().toLowerCase() = "strict" and
+          v instanceof Http::Server::CookieWrite::SameSiteLax
           or
           str.getText().toLowerCase() = "none" and
-          b = false
+          v instanceof Http::Server::CookieWrite::SameSiteNone
         )
       )
       or
       not exists(this.getArgByName("samesite")) and
-      b = true // Lax is the default
+      v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
     }
   }
 

python/ql/src/Security/CWE-614/InsecureCookie.ql

@@ -26,7 +26,7 @@ predicate hasProblem(Http::Server::CookieWrite cookie, string alert, int idx) {
   alert = "HttpOnly" and
   idx = 1
   or
-  cookie.hasSameSiteFlag(false) and
+  cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v)) and
   alert = "SameSite" and
   idx = 2
 }

python/ql/src/experimental/Security/CWE-614/InsecureCookie.ql

@@ -26,6 +26,6 @@ where
   cookie.hasHttpOnlyFlag(false) and
   alert = "httponly"
   or
-  cookie.hasSameSiteFlag(false) and
+  cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v)) and
   alert = "samesite"
 select cookie, "Cookie is added without the '" + alert + "' flag properly set."

python/ql/src/experimental/semmle/python/frameworks/Django.qll

@@ -141,18 +141,17 @@ private module ExperimentalPrivateDjango {
               else b = false
             }
 
-            override predicate hasSameSiteFlag(boolean b) {
-              if
-                exists(StringLiteral str |
-                  str.getText() in ["Strict", "Lax"] and
-                  DataFlow::exprNode(str)
-                      .(DataFlow::LocalSourceNode)
-                      .flowsTo(this.(DataFlow::CallCfgNode).getArgByName("samesite"))
-                )
-              then b = true
-              else b = false
-            }
-
+            // override predicate hasSameSiteFlag(boolean b) {
+            //   if
+            //     exists(StringLiteral str |
+            //       str.getText() in ["Strict", "Lax"] and
+            //       DataFlow::exprNode(str)
+            //           .(DataFlow::LocalSourceNode)
+            //           .flowsTo(this.(DataFlow::CallCfgNode).getArgByName("samesite"))
+            //     )
+            //   then b = true
+            //   else b = false
+            // }
             override DataFlow::Node getHeaderArg() { none() }
           }
         }

python/ql/src/experimental/semmle/python/frameworks/Flask.qll

@@ -56,18 +56,17 @@ module ExperimentalFlask {
       else b = false
     }
 
-    override predicate hasSameSiteFlag(boolean b) {
-      if
-        exists(StringLiteral str |
-          str.getText() in ["Strict", "Lax"] and
-          DataFlow::exprNode(str)
-              .(DataFlow::LocalSourceNode)
-              .flowsTo(this.(DataFlow::CallCfgNode).getArgByName("samesite"))
-        )
-      then b = true
-      else b = false
-    }
-
+    // override predicate hasSameSiteFlag(boolean b) {
+    //   if
+    //     exists(StringLiteral str |
+    //       str.getText() in ["Strict", "Lax"] and
+    //       DataFlow::exprNode(str)
+    //           .(DataFlow::LocalSourceNode)
+    //           .flowsTo(this.(DataFlow::CallCfgNode).getArgByName("samesite"))
+    //     )
+    //   then b = true
+    //   else b = false
+    // }
     override DataFlow::Node getHeaderArg() { none() }
   }
 }

python/ql/src/experimental/semmle/python/security/injection/CookieInjection.qll

@@ -18,7 +18,7 @@ class CookieSink extends DataFlow::Node {
         cookie.hasHttpOnlyFlag(false) and
         flag = "httponly"
         or
-        cookie.hasSameSiteFlag(false) and
+        cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v)) and
         flag = "samesite"
       )
     )