add test for the cookie npm package

erik-krogh · erik-krogh · commit 311df4d2b7a5 · 2021-10-26T13:46:59.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-614/ClearTextCookie.expected b/javascript/ql/test/query-tests/Security/CWE-614/ClearTextCookie.expected
@@ -13,3 +13,4 @@
 | tst-cleartextCookie.js:177:5:177:19 | document.cookie | Sensitive cookie sent without enforcing SSL encryption |
 | tst-cleartextCookie.js:181:5:181:41 | cookies ... hkey()) | Sensitive cookie sent without enforcing SSL encryption |
 | tst-cleartextCookie.js:186:5:186:46 | cookie. ... hkey()) | Sensitive cookie sent without enforcing SSL encryption |
+| tst-cleartextCookie.js:195:33:195:74 | cookie. ... hkey()) | Sensitive cookie sent without enforcing SSL encryption |
diff --git a/javascript/ql/test/query-tests/Security/CWE-614/tst-cleartextCookie.js b/javascript/ql/test/query-tests/Security/CWE-614/tst-cleartextCookie.js
@@ -185,4 +185,14 @@ function clientCookies() {
 
     cookie.serialize('authKey', makeAuthkey()); // NOT OK
     cookie.serialize('authKey', makeAuthkey(), { secure: true, expires: 7 }); // OK
-}
+}
+
+const cookie = require('cookie');
+
+http.createServer((req, res) => {
+    res.setHeader('Content-Type', 'text/html');
+    res.setHeader("Set-Cookie", cookie.serialize("authKey", makeAuthkey(), {secure: true,httpOnly: true})); // OK
+    res.setHeader("Set-Cookie", cookie.serialize("authKey", makeAuthkey())); // NOT OK
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end('ok');
+});
