Add check for kwargs in cookie attribute predicates

Author: joefarebrother

python/ql/lib/semmle/python/Concepts.qll

@@ -1234,6 +1234,7 @@ module Http {
         )
         or
         not exists(this.getArgByName("secure")) and
+        not exists(this.getKwargs()) and
         b = false
       }
 
@@ -1246,6 +1247,7 @@ module Http {
         )
         or
         not exists(this.getArgByName("httponly")) and
+        not exists(this.getKwargs()) and
         b = false
       }
 
@@ -1267,6 +1269,7 @@ module Http {
         )
         or
         not exists(this.getArgByName("samesite")) and
+        not exists(this.getKwargs()) and
         v instanceof CookieWrite::SameSiteLax // Lax is the default
       }
     }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -219,6 +219,12 @@ class CallCfgNode extends CfgNode, LocalSourceNode {
 
   /** Gets the data-flow node corresponding to the named argument of the call corresponding to this data-flow node */
   Node getArgByName(string name) { result.asCfgNode() = node.getArgByName(name) }
+
+  /** Gets the data-flow node corresponding to the first tuple (*) argument of the call corresponding to this data-flow node, if any. */
+  Node getStarArg() { result.asCfgNode() = node.getStarArg() }
+
+  /** Gets tje data-flow node corresponding to a dictionary (**) argument of the call corresponding to this data-flow node, if any. */
+  Node getKwargs() { result.asCfgNode() = node.getKwargs() }
 }
 
 /**