add session{key,id} as sensitive info

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll

@@ -58,7 +58,7 @@ module HeuristicNames {
    */
   string maybeAccountInfo() {
     result = "(?is).*acc(ou)?nt.*" or
-    result = "(?is).*(puid|username|userid).*" or
+    result = "(?is).*(puid|username|userid|session(id|key)).*" or
     result = "(?s).*([uU]|^|_|[a-z](?=U))([uU][iI][dD]).*"
   }
 

javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected

@@ -17,3 +17,4 @@
 | tst-httpOnly.js:289:37:289:59 | `authKe ... {attr}` | Sensitive server cookie is missing 'httpOnly' flag. |
 | tst-httpOnly.js:303:9:307:2 | session ...  BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. |
 | tst-httpOnly.js:320:9:324:2 | session ... tter\\n}) | Sensitive server cookie is missing 'httpOnly' flag. |
+| tst-httpOnly.js:330:37:330:68 | "sessio ... onKey() | Sensitive server cookie is missing 'httpOnly' flag. |

javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js

@@ -322,3 +322,13 @@ app.use(session({
     keys: ['key1', 'key2'],
     cookie: { httpOnly: false } // BAD, It is a session cookie, name doesn't matter
 }))
+
+const http = require('http');
+function test10() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        res.setHeader("Set-Cookie", "sessionKey=" + makeSessionKey()); // BAD
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}

python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll

@@ -58,7 +58,7 @@ module HeuristicNames {
    */
   string maybeAccountInfo() {
     result = "(?is).*acc(ou)?nt.*" or
-    result = "(?is).*(puid|username|userid).*" or
+    result = "(?is).*(puid|username|userid|session(id|key)).*" or
     result = "(?s).*([uU]|^|_|[a-z](?=U))([uU][iI][dD]).*"
   }