Factor each framework implementation of the cookie parameters to a common concept

Author: joefarebrother

python/ql/lib/semmle/python/Concepts.qll

@@ -1220,6 +1220,57 @@ module Http {
       predicate hasSameSiteAttribute(CookieWrite::SameSiteValue v) { super.hasSameSiteAttribute(v) }
     }
 
+    /**
+     * A dataflow call node to a method that sets a cookie in an http response,
+     * and has common keyword arguments `secure`, `httponly`, and `samesite` to set the attributes of the cookie.
+     */
+    abstract class SetCookieCall extends CookieWrite::Range, DataFlow::CallCfgNode {
+      override predicate hasSecureFlag(boolean b) {
+        super.hasSecureFlag(b)
+        or
+        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
+          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+          b = bool.booleanValue()
+        )
+        or
+        not exists(this.getArgByName("secure")) and
+        b = false
+      }
+
+      override predicate hasHttpOnlyFlag(boolean b) {
+        super.hasHttpOnlyFlag(b)
+        or
+        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
+          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+          b = bool.booleanValue()
+        )
+        or
+        not exists(this.getArgByName("httponly")) and
+        b = false
+      }
+
+      override predicate hasSameSiteAttribute(CookieWrite::SameSiteValue v) {
+        super.hasSameSiteAttribute(v)
+        or
+        exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
+          DataFlow::localFlow(DataFlow::exprNode(str), arg) and
+          (
+            str.getText().toLowerCase() = "strict" and
+            v instanceof CookieWrite::SameSiteStrict
+            or
+            str.getText().toLowerCase() = "lax" and
+            v instanceof CookieWrite::SameSiteLax
+            or
+            str.getText().toLowerCase() = "none" and
+            v instanceof CookieWrite::SameSiteNone
+          )
+        )
+        or
+        not exists(this.getArgByName("samesite")) and
+        v instanceof CookieWrite::SameSiteLax // Lax is the default
+      }
+    }
+
     /** Provides a class for modeling new cookie writes on HTTP responses. */
     module CookieWrite {
       /**

python/ql/lib/semmle/python/frameworks/Aiohttp.qll

@@ -653,8 +653,7 @@ module AiohttpWebModel {
   /**
    * A call to `set_cookie` on a HTTP Response.
    */
-  class AiohttpResponseSetCookieCall extends Http::Server::CookieWrite::Range, DataFlow::CallCfgNode
-  {
+  class AiohttpResponseSetCookieCall extends Http::Server::SetCookieCall {
     AiohttpResponseSetCookieCall() {
       this = aiohttpResponseInstance().getMember("set_cookie").getACall()
     }
@@ -664,51 +663,6 @@ module AiohttpWebModel {
     override DataFlow::Node getNameArg() { result in [this.getArg(0), this.getArgByName("name")] }
 
     override DataFlow::Node getValueArg() { result in [this.getArg(1), this.getArgByName("value")] }
-
-    override predicate hasSecureFlag(boolean b) {
-      super.hasSecureFlag(b)
-      or
-      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
-        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-        b = bool.booleanValue()
-      )
-      or
-      not exists(this.getArgByName("secure")) and
-      b = false
-    }
-
-    override predicate hasHttpOnlyFlag(boolean b) {
-      super.hasHttpOnlyFlag(b)
-      or
-      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
-        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-        b = bool.booleanValue()
-      )
-      or
-      not exists(this.getArgByName("httponly")) and
-      b = false
-    }
-
-    override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
-      super.hasSameSiteAttribute(v)
-      or
-      exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
-        DataFlow::localFlow(DataFlow::exprNode(str), arg) and
-        (
-          str.getText().toLowerCase() = "strict" and
-          v instanceof Http::Server::CookieWrite::SameSiteStrict
-          or
-          str.getText().toLowerCase() = "lax" and
-          v instanceof Http::Server::CookieWrite::SameSiteLax
-          or
-          str.getText().toLowerCase() = "none" and
-          v instanceof Http::Server::CookieWrite::SameSiteNone
-        )
-      )
-      or
-      not exists(this.getArgByName("samesite")) and
-      v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
-    }
   }
 
   /**

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2170,7 +2170,7 @@ module PrivateDjango {
         /**
          * A call to `set_cookie` on a HTTP Response.
          */
-        class DjangoResponseSetCookieCall extends Http::Server::CookieWrite::Range,
+        class DjangoResponseSetCookieCall extends Http::Server::SetCookieCall,
           DataFlow::MethodCallNode
         {
           DjangoResponseSetCookieCall() {
@@ -2186,51 +2186,6 @@ module PrivateDjango {
           override DataFlow::Node getValueArg() {
             result in [this.getArg(1), this.getArgByName("value")]
           }
-
-          override predicate hasSecureFlag(boolean b) {
-            super.hasSecureFlag(b)
-            or
-            exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
-              DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-              b = bool.booleanValue()
-            )
-            or
-            not exists(this.getArgByName("secure")) and
-            b = false
-          }
-
-          override predicate hasHttpOnlyFlag(boolean b) {
-            super.hasHttpOnlyFlag(b)
-            or
-            exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
-              DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-              b = bool.booleanValue()
-            )
-            or
-            not exists(this.getArgByName("httponly")) and
-            b = false
-          }
-
-          override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
-            super.hasSameSiteAttribute(v)
-            or
-            exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
-              DataFlow::localFlow(DataFlow::exprNode(str), arg) and
-              (
-                str.getText().toLowerCase() = "strict" and
-                v instanceof Http::Server::CookieWrite::SameSiteStrict
-                or
-                str.getText().toLowerCase() = "lax" and
-                v instanceof Http::Server::CookieWrite::SameSiteLax
-                or
-                str.getText().toLowerCase() = "none" and
-                v instanceof Http::Server::CookieWrite::SameSiteNone
-              )
-            )
-            or
-            not exists(this.getArgByName("samesite")) and
-            v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
-          }
         }
 
         /**

python/ql/lib/semmle/python/frameworks/FastApi.qll

@@ -348,7 +348,7 @@ module FastApi {
     /**
      * A call to `set_cookie` on a FastAPI Response.
      */
-    private class SetCookieCall extends Http::Server::CookieWrite::Range, DataFlow::MethodCallNode {
+    private class SetCookieCall extends Http::Server::SetCookieCall, DataFlow::MethodCallNode {
       SetCookieCall() { this.calls(instance(), "set_cookie") }
 
       override DataFlow::Node getHeaderArg() { none() }
@@ -358,51 +358,6 @@ module FastApi {
       override DataFlow::Node getValueArg() {
         result in [this.getArg(1), this.getArgByName("value")]
       }
-
-      override predicate hasSecureFlag(boolean b) {
-        super.hasSecureFlag(b)
-        or
-        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
-          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-          b = bool.booleanValue()
-        )
-        or
-        not exists(this.getArgByName("secure")) and
-        b = false
-      }
-
-      override predicate hasHttpOnlyFlag(boolean b) {
-        super.hasHttpOnlyFlag(b)
-        or
-        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
-          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-          b = bool.booleanValue()
-        )
-        or
-        not exists(this.getArgByName("httponly")) and
-        b = false
-      }
-
-      override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
-        super.hasSameSiteAttribute(v)
-        or
-        exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
-          DataFlow::localFlow(DataFlow::exprNode(str), arg) and
-          (
-            str.getText().toLowerCase() = "strict" and
-            v instanceof Http::Server::CookieWrite::SameSiteStrict
-            or
-            str.getText().toLowerCase() = "lax" and
-            v instanceof Http::Server::CookieWrite::SameSiteLax
-            or
-            str.getText().toLowerCase() = "none" and
-            v instanceof Http::Server::CookieWrite::SameSiteNone
-          )
-        )
-        or
-        not exists(this.getArgByName("samesite")) and
-        v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
-      }
     }
 
     /**

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -583,61 +583,14 @@ module Flask {
    *
    * See https://flask.palletsprojects.com/en/2.0.x/api/#flask.Response.set_cookie
    */
-  class FlaskResponseSetCookieCall extends Http::Server::CookieWrite::Range,
-    DataFlow::MethodCallNode
-  {
+  class FlaskResponseSetCookieCall extends Http::Server::SetCookieCall, DataFlow::MethodCallNode {
     FlaskResponseSetCookieCall() { this.calls(Flask::Response::instance(), "set_cookie") }
 
     override DataFlow::Node getHeaderArg() { none() }
 
     override DataFlow::Node getNameArg() { result in [this.getArg(0), this.getArgByName("key")] }
 
     override DataFlow::Node getValueArg() { result in [this.getArg(1), this.getArgByName("value")] }
-
-    override predicate hasSecureFlag(boolean b) {
-      super.hasSecureFlag(b)
-      or
-      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
-        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-        b = bool.booleanValue()
-      )
-      or
-      not exists(this.getArgByName("secure")) and
-      b = false
-    }
-
-    override predicate hasHttpOnlyFlag(boolean b) {
-      super.hasHttpOnlyFlag(b)
-      or
-      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
-        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-        b = bool.booleanValue()
-      )
-      or
-      not exists(this.getArgByName("httponly")) and
-      b = false
-    }
-
-    override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
-      super.hasSameSiteAttribute(v)
-      or
-      exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
-        DataFlow::localFlow(DataFlow::exprNode(str), arg) and
-        (
-          str.getText().toLowerCase() = "strict" and
-          v instanceof Http::Server::CookieWrite::SameSiteStrict
-          or
-          str.getText().toLowerCase() = "lax" and
-          v instanceof Http::Server::CookieWrite::SameSiteLax
-          or
-          str.getText().toLowerCase() = "none" and
-          v instanceof Http::Server::CookieWrite::SameSiteNone
-        )
-      )
-      or
-      not exists(this.getArgByName("samesite")) and
-      v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
-    }
   }
 
   /**

python/ql/lib/semmle/python/frameworks/Pyramid.qll

@@ -255,7 +255,7 @@ module Pyramid {
     }
 
     /** A call to `response.set_cookie`. */
-    private class SetCookieCall extends Http::Server::CookieWrite::Range, DataFlow::MethodCallNode {
+    private class SetCookieCall extends Http::Server::SetCookieCall, DataFlow::MethodCallNode {
       SetCookieCall() { this.calls(instance(), "set_cookie") }
 
       override DataFlow::Node getHeaderArg() { none() }
@@ -265,51 +265,6 @@ module Pyramid {
       override DataFlow::Node getValueArg() {
         result = [this.getArg(1), this.getArgByName("value")]
       }
-
-      override predicate hasSecureFlag(boolean b) {
-        super.hasSecureFlag(b)
-        or
-        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
-          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-          b = bool.booleanValue()
-        )
-        or
-        not exists(this.getArgByName("secure")) and
-        b = false
-      }
-
-      override predicate hasHttpOnlyFlag(boolean b) {
-        super.hasHttpOnlyFlag(b)
-        or
-        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
-          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
-          b = bool.booleanValue()
-        )
-        or
-        not exists(this.getArgByName("httponly")) and
-        b = false
-      }
-
-      override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
-        super.hasSameSiteAttribute(v)
-        or
-        exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
-          DataFlow::localFlow(DataFlow::exprNode(str), arg) and
-          (
-            str.getText().toLowerCase() = "strict" and
-            v instanceof Http::Server::CookieWrite::SameSiteStrict
-            or
-            str.getText().toLowerCase() = "lax" and
-            v instanceof Http::Server::CookieWrite::SameSiteLax
-            or
-            str.getText().toLowerCase() = "none" and
-            v instanceof Http::Server::CookieWrite::SameSiteNone
-          )
-        )
-        or
-        not exists(this.getArgByName("samesite")) and
-        v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
-      }
     }
   }