Update ConceptsTests and make a fix

Author: joefarebrother

python/ql/lib/semmle/python/Concepts.qll

@@ -1254,13 +1254,13 @@ module Http {
           exists(this.getHeaderArg()) and
           (
             exists(StringLiteral sl |
-              sl.getText().regexpMatch("(?i).*;\\s*secure;.*") and
+              sl.getText().regexpMatch("(?i).*;\\s*secure(;.*|\\s*)") and
               TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
               b = true
             )
             or
             exists(StringLiteral sl |
-              not sl.getText().regexpMatch("(?i).*;\\s*secure;.*") and
+              not sl.getText().regexpMatch("(?i).*;\\s*secure(;.*|\\s*)") and
               DataFlow::localFlow(DataFlow::exprNode(sl), this.getHeaderArg()) and
               b = false
             )
@@ -1274,13 +1274,13 @@ module Http {
           exists(this.getHeaderArg()) and
           (
             exists(StringLiteral sl |
-              sl.getText().regexpMatch("(?i).*;\\s*httponly;.*") and
+              sl.getText().regexpMatch("(?i).*;\\s*httponly(;.*|\\s*)") and
               TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
               b = true
             )
             or
             exists(StringLiteral sl |
-              not sl.getText().regexpMatch("(?i).*;\\s*httponly;.*") and
+              not sl.getText().regexpMatch("(?i).*;\\s*httponly(;.*|\\s*)") and
               DataFlow::localFlow(DataFlow::exprNode(sl), this.getHeaderArg()) and
               b = false
             )
@@ -1294,25 +1294,25 @@ module Http {
           exists(this.getHeaderArg()) and
           (
             exists(StringLiteral sl |
-              sl.getText().regexpMatch("(?i).*;\\s*samesite=strict;.*") and
+              sl.getText().regexpMatch("(?i).*;\\s*samesite=strict(;.*|\\s*)") and
               TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
               v instanceof SameSiteStrict
             )
             or
             exists(StringLiteral sl |
-              sl.getText().regexpMatch("(?i).*;\\s*samesite=lax;.*") and
+              sl.getText().regexpMatch("(?i).*;\\s*samesite=lax(;.*|\\s*)") and
               TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
               v instanceof SameSiteLax
             )
             or
             exists(StringLiteral sl |
-              sl.getText().regexpMatch("(?i).*;\\s*samesite=none;.*") and
+              sl.getText().regexpMatch("(?i).*;\\s*samesite=none(;.*|\\s*)") and
               TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
               v instanceof SameSiteNone
             )
             or
             exists(StringLiteral sl |
-              not sl.getText().regexpMatch("(?i).*;\\s*samesite=(strict|lax|none);.*") and
+              not sl.getText().regexpMatch("(?i).*;\\s*samesite=(strict|lax|none)(;.*|\\s*)") and
               DataFlow::localFlow(DataFlow::exprNode(sl), this.getHeaderArg()) and
               v instanceof SameSiteLax // Lax is the default
             )

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -405,7 +405,10 @@ module HttpServerHttpRedirectResponseTest implements TestSig {
 
 module HttpServerCookieWriteTest implements TestSig {
   string getARelevantTag() {
-    result in ["CookieWrite", "CookieRawHeader", "CookieName", "CookieValue"]
+    result in [
+        "CookieWrite", "CookieRawHeader", "CookieName", "CookieValue", "CookieSecure",
+        "CookieHttpOnly", "CookieSameSite"
+      ]
   }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
@@ -428,6 +431,20 @@ module HttpServerCookieWriteTest implements TestSig {
         element = cookieWrite.toString() and
         value = prettyNodeForInlineTest(cookieWrite.getValueArg()) and
         tag = "CookieValue"
+        or
+        element = cookieWrite.toString() and
+        value = any(boolean b | cookieWrite.hasSecureFlag(b)).toString() and
+        tag = "CookieSecure"
+        or
+        element = cookieWrite.toString() and
+        value = any(boolean b | cookieWrite.hasHttpOnlyFlag(b)).toString() and
+        tag = "CookieHttpOnly"
+        or
+        element = cookieWrite.toString() and
+        value =
+          any(Http::Server::CookieWrite::SameSiteValue v | cookieWrite.hasSameSiteAttribute(v))
+              .toString() and
+        tag = "CookieSameSite"
       )
     )
   }

python/ql/test/library-tests/frameworks/aiohttp/response_test.py

@@ -96,10 +96,12 @@ async def streaming_response(request): # $ requestHandler
 async def setting_cookie(request): # $ requestHandler
     resp = web.Response(text="foo") # $ HttpResponse mimetype=text/plain responseBody="foo"
     resp.cookies["key"] = "value" # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
-    resp.set_cookie("key3", "value3") # $ CookieWrite CookieName="key3" CookieValue="value3"
-    resp.set_cookie(name="key3", value="value3") # $ CookieWrite CookieName="key3" CookieValue="value3"
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie("key3", "value3") # $ CookieWrite CookieName="key3" CookieValue="value3" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie(name="key3", value="value3") # $ CookieWrite CookieName="key3" CookieValue="value3" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
     resp.del_cookie("key4") # $ CookieWrite CookieName="key4"
+    resp.set_cookie(name="key5", value="value5", secure=True, httponly=True, samesite="Strict") # $ CookieWrite CookieName="key5" CookieValue="value5" CookieSecure=true CookieHttpOnly=true CookieSameSite=Strict
+    resp.headers["Set-Cookie"] = "key6=value6; Secure; HttpOnly; SameSite=Strict" # $ headerWriteName="Set-Cookie" headerWriteValue="key6=value6; Secure; HttpOnly; SameSite=Strict" CookieWrite CookieRawHeader="key6=value6; Secure; HttpOnly; SameSite=Strict" CookieSecure=true CookieHttpOnly=true CookieSameSite=Strict
     return resp
 
 

python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py

@@ -128,11 +128,12 @@ def safe__custom_json_response(request):
 
 def setting_cookie(request):
     resp = HttpResponse() # $ HttpResponse mimetype=text/html
-    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
     resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
     resp.delete_cookie("key4") # $ CookieWrite CookieName="key4"
     resp.delete_cookie(key="key4") # $ CookieWrite CookieName="key4"
-    resp["Set-Cookie"] = "key5=value5" # $ headerWriteName="Set-Cookie" headerWriteValue="key5=value5" CookieWrite CookieRawHeader="key5=value5"
+    resp["Set-Cookie"] = "key5=value5" # $ headerWriteName="Set-Cookie" headerWriteValue="key5=value5" CookieWrite CookieRawHeader="key5=value5" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie(key="key6", value="value6", secure=True, httponly=False, samesite="None") # $ CookieWrite CookieName="key6" CookieValue="value6" CookieSecure=true CookieHttpOnly=false CookieSameSite=None 
     return resp

python/ql/test/library-tests/frameworks/fastapi/response_test.py

@@ -9,10 +9,11 @@
 
 @app.get("/response_parameter") # $ routeSetup="/response_parameter"
 async def response_parameter(response: Response): # $ requestHandler
-    response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    response.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-    response.headers.append("Set-Cookie", "key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
-    response.headers.append(key="Set-Cookie", value="key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    response.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    response.set_cookie(key="key", value="value", secure=False, httponly=True, samesite="Lax") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=true CookieSameSite=Lax
+    response.headers.append("Set-Cookie", "key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    response.headers.append(key="Set-Cookie", value="key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
     response.headers["X-MyHeader"] = "header-value" # $ headerWriteName="X-MyHeader" headerWriteValue="header-value"
     response.status_code = 418
     return {"message": "response as parameter"} # $ HttpResponse mimetype=application/json responseBody=Dict
@@ -44,7 +45,7 @@ async def response_parameter_custom_type(response: MyXmlResponse): # $ requestHa
     # propagated to the final response though.
     print(type(response))
     assert type(response) == fastapi.responses.Response
-    response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
+    response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
     response.headers["Custom-Response-Type"] = "yes, but only after function has run" # $ headerWriteName="Custom-Response-Type" headerWriteValue="yes, but only after function has run"
     xml_data = "<foo>FOO</foo>"
     return xml_data # $ HttpResponse responseBody=xml_data mimetype=application/xml

python/ql/test/library-tests/frameworks/flask/response_test.py

@@ -203,12 +203,17 @@ def redirect_simple():  # $requestHandler
 # Cookies
 ################################################################################
 
+def unk():
+    return
+
 @app.route("/setting_cookie")  # $routeSetup="/setting_cookie"
 def setting_cookie():  # $requestHandler
     resp = make_response() # $ HttpResponse mimetype=text/html
-    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.headers.add("Set-Cookie", "key2=value2") # $ headerWriteNameUnsanitized="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie(key="key", value="value", secure=True, httponly=True, samesite="Strict") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=true CookieHttpOnly=true CookieSameSite=Strict
+    resp.set_cookie(key="key", value="value", secure=unk(), httponly=unk(), samesite=unk()) # $ CookieWrite CookieName="key" CookieValue="value" 
+    resp.headers.add("Set-Cookie", "key2=value2") # $ headerWriteNameUnsanitized="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
     resp.delete_cookie("key3") # $ CookieWrite CookieName="key3"
     resp.delete_cookie(key="key3") # $ CookieWrite CookieName="key3"
     return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp

python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py

@@ -86,8 +86,9 @@ def test2(request): # $ requestHandler
 def test3(ctx, req): # $ requestHandler 
     ensure_tainted(req) # $ tainted
     resp = req.response # $ HttpResponse mimetype=text/html
-    resp.set_cookie("hi", "there") # $ CookieWrite CookieName="hi" CookieValue="there"
-    resp.set_cookie(value="there", name="hi") # $ CookieWrite CookieName="hi" CookieValue="there"
+    resp.set_cookie("hi", "there") # $ CookieWrite CookieName="hi" CookieValue="there" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie(value="there", name="hi") # $ CookieWrite CookieName="hi" CookieValue="there" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie("hi", "there", secure=True, httponly=True, samesite="Strict") # $ CookieWrite CookieName="hi" CookieValue="there" CookieSecure=true CookieHttpOnly=true CookieSameSite=Strict
     return "Ok" # $ HttpResponse responseBody="Ok" mimetype=text/html
 
 @view_config(route_name="test4", renderer="string") # $ routeSetup

python/ql/test/library-tests/frameworks/rest_framework/response_test.py

@@ -7,7 +7,7 @@ def normal_response(request): # $ requestHandler
     # has no pre-defined content type, since that will be negotiated
     # see https://www.django-rest-framework.org/api-guide/responses/
     data = "data"
-    resp = Response(data) # $ HttpResponse responseBody=data
+    resp = Response(data) # $ HttpResponse responseBody=data mimetype=text/html
     return resp
 
 @api_view()
@@ -25,10 +25,10 @@ def plain_text_response(request): # $ requestHandler
 
 @api_view
 def setting_cookie(request):
-    resp = Response() # $ HttpResponse
-    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    resp = Response() # $ HttpResponse mimetype=text/html
+    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
     resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
     resp.delete_cookie("key4") # $ CookieWrite CookieName="key4"
     resp.delete_cookie(key="key4") # $ CookieWrite CookieName="key4"

python/ql/test/library-tests/frameworks/rest_framework/testapp/views.py

@@ -68,9 +68,9 @@ def function_based_view(request: Request): # $ requestHandler
 @api_view(["GET", "POST"])
 def cookie_test(request: Request): # $ requestHandler
     resp = Response("wat") # $ HttpResponse
-    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" CookieSecure=false CookieHttpOnly=false CookieSameSite=Lax
     resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
     return resp