Add cookie models to each framework

joefarebrother · joefarebrother · commit be87eb50d494 · 2024-07-23T10:15:02.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
@@ -664,6 +664,51 @@ module AiohttpWebModel {
     override DataFlow::Node getNameArg() { result in [this.getArg(0), this.getArgByName("name")] }
 
     override DataFlow::Node getValueArg() { result in [this.getArg(1), this.getArgByName("value")] }
+
+    override predicate hasSecureFlag(boolean b) {
+      super.hasSecureFlag(b)
+      or
+      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
+        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+        b = bool.booleanValue()
+      )
+      or
+      not exists(this.getArgByName("secure")) and
+      b = false
+    }
+
+    override predicate hasHttpOnlyFlag(boolean b) {
+      super.hasHttpOnlyFlag(b)
+      or
+      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
+        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+        b = bool.booleanValue()
+      )
+      or
+      not exists(this.getArgByName("httponly")) and
+      b = false
+    }
+
+    override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
+      super.hasSameSiteAttribute(v)
+      or
+      exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
+        DataFlow::localFlow(DataFlow::exprNode(str), arg) and
+        (
+          str.getText().toLowerCase() = "strict" and
+          v instanceof Http::Server::CookieWrite::SameSiteStrict
+          or
+          str.getText().toLowerCase() = "lax" and
+          v instanceof Http::Server::CookieWrite::SameSiteLax
+          or
+          str.getText().toLowerCase() = "none" and
+          v instanceof Http::Server::CookieWrite::SameSiteNone
+        )
+      )
+      or
+      not exists(this.getArgByName("samesite")) and
+      v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
+    }
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -2220,7 +2220,7 @@ module PrivateDjango {
                 str.getText().toLowerCase() = "strict" and
                 v instanceof Http::Server::CookieWrite::SameSiteStrict
                 or
-                str.getText().toLowerCase() = "strict" and
+                str.getText().toLowerCase() = "lax" and
                 v instanceof Http::Server::CookieWrite::SameSiteLax
                 or
                 str.getText().toLowerCase() = "none" and
diff --git a/python/ql/lib/semmle/python/frameworks/FastApi.qll b/python/ql/lib/semmle/python/frameworks/FastApi.qll
@@ -358,6 +358,51 @@ module FastApi {
       override DataFlow::Node getValueArg() {
         result in [this.getArg(1), this.getArgByName("value")]
       }
+
+      override predicate hasSecureFlag(boolean b) {
+        super.hasSecureFlag(b)
+        or
+        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
+          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+          b = bool.booleanValue()
+        )
+        or
+        not exists(this.getArgByName("secure")) and
+        b = false
+      }
+
+      override predicate hasHttpOnlyFlag(boolean b) {
+        super.hasHttpOnlyFlag(b)
+        or
+        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
+          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+          b = bool.booleanValue()
+        )
+        or
+        not exists(this.getArgByName("httponly")) and
+        b = false
+      }
+
+      override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
+        super.hasSameSiteAttribute(v)
+        or
+        exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
+          DataFlow::localFlow(DataFlow::exprNode(str), arg) and
+          (
+            str.getText().toLowerCase() = "strict" and
+            v instanceof Http::Server::CookieWrite::SameSiteStrict
+            or
+            str.getText().toLowerCase() = "lax" and
+            v instanceof Http::Server::CookieWrite::SameSiteLax
+            or
+            str.getText().toLowerCase() = "none" and
+            v instanceof Http::Server::CookieWrite::SameSiteNone
+          )
+        )
+        or
+        not exists(this.getArgByName("samesite")) and
+        v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
+      }
     }
 
     /**
diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -627,7 +627,7 @@ module Flask {
           str.getText().toLowerCase() = "strict" and
           v instanceof Http::Server::CookieWrite::SameSiteStrict
           or
-          str.getText().toLowerCase() = "strict" and
+          str.getText().toLowerCase() = "lax" and
           v instanceof Http::Server::CookieWrite::SameSiteLax
           or
           str.getText().toLowerCase() = "none" and
diff --git a/python/ql/lib/semmle/python/frameworks/Pyramid.qll b/python/ql/lib/semmle/python/frameworks/Pyramid.qll
@@ -265,6 +265,51 @@ module Pyramid {
       override DataFlow::Node getValueArg() {
         result = [this.getArg(1), this.getArgByName("value")]
       }
+
+      override predicate hasSecureFlag(boolean b) {
+        super.hasSecureFlag(b)
+        or
+        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
+          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+          b = bool.booleanValue()
+        )
+        or
+        not exists(this.getArgByName("secure")) and
+        b = false
+      }
+
+      override predicate hasHttpOnlyFlag(boolean b) {
+        super.hasHttpOnlyFlag(b)
+        or
+        exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
+          DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+          b = bool.booleanValue()
+        )
+        or
+        not exists(this.getArgByName("httponly")) and
+        b = false
+      }
+
+      override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
+        super.hasSameSiteAttribute(v)
+        or
+        exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
+          DataFlow::localFlow(DataFlow::exprNode(str), arg) and
+          (
+            str.getText().toLowerCase() = "strict" and
+            v instanceof Http::Server::CookieWrite::SameSiteStrict
+            or
+            str.getText().toLowerCase() = "lax" and
+            v instanceof Http::Server::CookieWrite::SameSiteLax
+            or
+            str.getText().toLowerCase() = "none" and
+            v instanceof Http::Server::CookieWrite::SameSiteNone
+          )
+        )
+        or
+        not exists(this.getArgByName("samesite")) and
+        v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
+      }
     }
   }
 
diff --git a/python/ql/lib/semmle/python/frameworks/Tornado.qll b/python/ql/lib/semmle/python/frameworks/Tornado.qll
@@ -604,5 +604,50 @@ module Tornado {
     override DataFlow::Node getNameArg() { result in [this.getArg(0), this.getArgByName("name")] }
 
     override DataFlow::Node getValueArg() { result in [this.getArg(1), this.getArgByName("value")] }
+
+    override predicate hasSecureFlag(boolean b) {
+      super.hasSecureFlag(b)
+      or
+      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
+        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+        b = bool.booleanValue()
+      )
+      or
+      not exists(this.getArgByName("secure")) and
+      b = false
+    }
+
+    override predicate hasHttpOnlyFlag(boolean b) {
+      super.hasHttpOnlyFlag(b)
+      or
+      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
+        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+        b = bool.booleanValue()
+      )
+      or
+      not exists(this.getArgByName("httponly")) and
+      b = false
+    }
+
+    override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
+      super.hasSameSiteAttribute(v)
+      or
+      exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
+        DataFlow::localFlow(DataFlow::exprNode(str), arg) and
+        (
+          str.getText().toLowerCase() = "strict" and
+          v instanceof Http::Server::CookieWrite::SameSiteStrict
+          or
+          str.getText().toLowerCase() = "lax" and
+          v instanceof Http::Server::CookieWrite::SameSiteLax
+          or
+          str.getText().toLowerCase() = "none" and
+          v instanceof Http::Server::CookieWrite::SameSiteNone
+        )
+      )
+      or
+      not exists(this.getArgByName("samesite")) and
+      v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
+    }
   }
 }
diff --git a/python/ql/lib/semmle/python/frameworks/Twisted.qll b/python/ql/lib/semmle/python/frameworks/Twisted.qll
@@ -245,6 +245,49 @@ private module Twisted {
     override DataFlow::Node getNameArg() { result in [this.getArg(0), this.getArgByName("k")] }
 
     override DataFlow::Node getValueArg() { result in [this.getArg(1), this.getArgByName("v")] }
+
+    override predicate hasSecureFlag(boolean b) {
+      super.hasSecureFlag(b)
+      or
+      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("secure") |
+        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+        b = bool.booleanValue()
+      )
+      or
+      not exists(this.getArgByName("secure")) and
+      b = false
+    }
+
+    override predicate hasHttpOnlyFlag(boolean b) {
+      super.hasHttpOnlyFlag(b)
+      or
+      exists(DataFlow::Node arg, BooleanLiteral bool | arg = this.getArgByName("httponly") |
+        DataFlow::localFlow(DataFlow::exprNode(bool), arg) and
+        b = bool.booleanValue()
+      )
+      or
+      not exists(this.getArgByName("httponly")) and
+      b = false
+    }
+
+    override predicate hasSameSiteAttribute(Http::Server::CookieWrite::SameSiteValue v) {
+      super.hasSameSiteAttribute(v)
+      or
+      exists(DataFlow::Node arg, StringLiteral str | arg = this.getArgByName("samesite") |
+        DataFlow::localFlow(DataFlow::exprNode(str), arg) and
+        (
+          str.getText().toLowerCase() = "strict" and
+          v instanceof Http::Server::CookieWrite::SameSiteStrict
+          or
+          str.getText().toLowerCase() = "lax" and
+          v instanceof Http::Server::CookieWrite::SameSiteLax
+          // sting "none" is not accepted
+        )
+      )
+      or
+      not exists(this.getArgByName("samesite")) and
+      v instanceof Http::Server::CookieWrite::SameSiteLax // Lax is the default
+    }
   }
 
   /**
