simple dataflow for sensitive name

edvraa · edvraa · commit fa94fedfc30c · 2021-05-03T00:36:26.000+03:00
diff --git a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
@@ -58,6 +58,8 @@ module Cookie {
         ) and
         regexpMatchAuth(val)
       )
+      or
+      isAuthVariable(expr.getAPredecessor())
     }
 
     /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
@@ -15,3 +15,4 @@
 | test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:106:5:106:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:117:5:117:40 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
@@ -107,6 +107,17 @@ app.get('/a', function (req, res, next) {
     res.end('ok')
 })
 
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    options.httpOnly = false;
+    let blabla = "session"
+    res.cookie(blabla, 'value', options); // BAD, var name likely auth related
+    res.end('ok')
+})
+
 app.get('/a', function (req, res, next) {
     let options = {
         maxAge: 9000000000,

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,8 @@ module Cookie {`
`58`	`58`	`) and`
`59`	`59`	`regexpMatchAuth(val)`
`60`	`60`	`)`
	`61`	`+ or`
	`62`	`+ isAuthVariable(expr.getAPredecessor())`
`61`	`63`	`}`
`62`	`64`
`63`	`65`	`/**`