@@ -1250,17 +1250,70 @@ module Http {
1250
1250
/**
1251
1251
* Holds if the `Secure` flag of the cookie is known to have a value of `b`.
1252
1252
*/
1253
- predicate hasSecureFlag ( boolean b ) { none ( ) }
1253
+ predicate hasSecureFlag ( boolean b ) {
1254
+ exists ( this .getHeaderArg ( ) ) and
1255
+ (
1256
+ exists ( StringLiteral sl |
1257
+ sl .getText ( ) .regexpMatch ( "(?i).*;\\s*secure;.*" ) and
1258
+ TaintTracking:: localTaint ( DataFlow:: exprNode ( sl ) , this .getHeaderArg ( ) ) and
1259
+ b = true
1260
+ )
1261
+ or
1262
+ exists ( StringLiteral sl |
1263
+ not sl .getText ( ) .regexpMatch ( "(?i).*;\\s*secure;.*" ) and
1264
+ DataFlow:: localFlow ( DataFlow:: exprNode ( sl ) , this .getHeaderArg ( ) ) and
1265
+ b = false
1266
+ )
1267
+ )
1268
+ }
1254
1269
1255
1270
/**
1256
1271
* Holds if the `HttpOnly` flag of the cookie is known to have a value of `b`.
1257
1272
*/
1258
- predicate hasHttpOnlyFlag ( boolean b ) { none ( ) }
1273
+ predicate hasHttpOnlyFlag ( boolean b ) {
1274
+ exists ( this .getHeaderArg ( ) ) and
1275
+ (
1276
+ exists ( StringLiteral sl |
1277
+ sl .getText ( ) .regexpMatch ( "(?i).*;\\s*httponly;.*" ) and
1278
+ TaintTracking:: localTaint ( DataFlow:: exprNode ( sl ) , this .getHeaderArg ( ) ) and
1279
+ b = true
1280
+ )
1281
+ or
1282
+ exists ( StringLiteral sl |
1283
+ not sl .getText ( ) .regexpMatch ( "(?i).*;\\s*httponly;.*" ) and
1284
+ DataFlow:: localFlow ( DataFlow:: exprNode ( sl ) , this .getHeaderArg ( ) ) and
1285
+ b = false
1286
+ )
1287
+ )
1288
+ }
1259
1289
1260
1290
/**
1261
1291
* Holds if the `SameSite` flag of the cookie is known to have a value of `b`.
1262
1292
*/
1263
- predicate hasSameSiteFlag ( boolean b ) { none ( ) }
1293
+ // TODO: b could be a newtype with 3 values indicating Strict,Lax,or None
1294
+ // currently, Strict and Lax are represented with true and None is represented with false.
1295
+ predicate hasSameSiteFlag ( boolean b ) {
1296
+ exists ( this .getHeaderArg ( ) ) and
1297
+ (
1298
+ exists ( StringLiteral sl |
1299
+ sl .getText ( ) .regexpMatch ( "(?i).*;\\s*samesite=(strict|lax);.*" ) and
1300
+ TaintTracking:: localTaint ( DataFlow:: exprNode ( sl ) , this .getHeaderArg ( ) ) and
1301
+ b = true
1302
+ )
1303
+ or
1304
+ exists ( StringLiteral sl |
1305
+ sl .getText ( ) .regexpMatch ( "(?i).*;\\s*samesite=none;.*" ) and
1306
+ TaintTracking:: localTaint ( DataFlow:: exprNode ( sl ) , this .getHeaderArg ( ) ) and
1307
+ b = false
1308
+ )
1309
+ or
1310
+ exists ( StringLiteral sl |
1311
+ not sl .getText ( ) .regexpMatch ( "(?i).*;\\s*samesite=(strict|lax|none);.*" ) and
1312
+ DataFlow:: localFlow ( DataFlow:: exprNode ( sl ) , this .getHeaderArg ( ) ) and
1313
+ b = true // Lax is the default
1314
+ )
1315
+ )
1316
+ }
1264
1317
}
1265
1318
}
1266
1319
0 commit comments