Add unit tests

joefarebrother · joefarebrother · commit 93f70b3ad9c2 · 2024-07-23T10:15:23.000+01:00
diff --git a/python/ql/src/Security/CWE-614/InsecureCookie.ql b/python/ql/src/Security/CWE-614/InsecureCookie.ql
@@ -38,7 +38,7 @@ predicate hasAlert(Http::Server::CookieWrite cookie, string alert) {
     or
     numProblems = 2 and
     alert =
-      strictconcat(string prob, int idx | hasProblem(cookie, prob, idx) | " and ", prob order by idx)
+      strictconcat(string prob, int idx | hasProblem(cookie, prob, idx) | prob, " and " order by idx)
         + " attributes"
     or
     numProblems = 3 and
diff --git a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
@@ -0,0 +1,10 @@
+| test.py:10:5:10:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:11:5:11:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:12:5:12:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:13:5:13:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:14:5:14:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:15:5:15:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure, HttpOnly, and SameSite attributes properly set. |
+| test.py:16:5:16:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:17:5:17:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:18:5:18:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly and SameSite attributes properly set. |
+| test.py:19:5:19:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure and SameSite attributes properly set. |
diff --git a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref
@@ -0,0 +1 @@
+Security/CWE-614/InsecureCookie.ql
diff --git a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
@@ -0,0 +1,20 @@
+from flask import Flask, request, make_response
+import lxml.etree
+import markupsafe
+
+app = Flask(__name__)
+
+@app.route("/test")
+def test():
+    resp = make_response()
+    resp.set_cookie("key1", "value1")
+    resp.set_cookie("key2", "value2", secure=True)
+    resp.set_cookie("key2", "value2", httponly=True)
+    resp.set_cookie("key2", "value2", samesite="Strict")
+    resp.set_cookie("key2", "value2", samesite="Lax")
+    resp.set_cookie("key2", "value2", samesite="None")
+    resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
+    resp.set_cookie("key2", "value2", secure=True, samesite="None")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None")
+    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
