Apply suggestions from code review

Edwin · esbena · web-flow · commit 27c680e28b6e · 2021-05-03T16:41:09.000+03:00
Co-authored-by: Esben Sparre Andreasen &lt;esbena@github.com&gt;
diff --git a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
@@ -8,7 +8,7 @@ Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious s
 </overview>
 <recommendation>
 
-<p>Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
+<p>Protect sensitive cookies, such as those related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
 them not accessible to JavaScript.</p>
 
 </recommendation>
diff --git a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
@@ -1,9 +1,9 @@
 /**
  * @name 'HttpOnly' attribute is not set to true
- * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
- *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
- *              'HttpOnly' to 'true' to authentication related cookie to make it
- *              not accessible by JavaScript.
+ * @description Omitting the 'HttpOnly' attribute for security sensitive cookie data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerabilities. Always set
+ *              'HttpOnly' to 'true' for authentication related cookies to make them
+ *              inaccessible from JavaScript.
  * @kind problem
  * @problem.severity warning
  * @precision high
@@ -17,4 +17,4 @@ import experimental.semmle.javascript.security.InsecureCookie::Cookie
 
 from Cookie cookie
 where cookie.isAuthNotHttpOnly()
-select cookie, "Cookie attribute 'HttpOnly' is not set to true."
+select cookie, "Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie."
diff --git a/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
@@ -1,7 +1,7 @@
 /**
  * Provides classes for reasoning about cookies added to response without the 'secure' or 'httponly' flag being set.
- * A cookie without the 'secure' flag being set can be intercepted and read by a malicious user.
- * A cookie without the 'httponly' flag being set can be read by an injected JavaScript
+ * - A cookie without the 'secure' flag being set can be intercepted and read by a malicious user.
+ * - A cookie without the 'httponly' flag being set can be read by maliciously injected JavaScript.
  */
 
 import javascript
@@ -64,7 +64,7 @@ module Cookie {
   }
 
   /**
-   * Holds if the string contains sensitive auth keyword, but not antiforgery token.
+   * Holds if `val` looks related to authentication, without being an anti-forgery token.
    */
   bindingset[val]
   private predicate regexpMatchAuth(string val) {
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -165,9 +165,6 @@ class InvokeNode extends DataFlow::SourceNode {
     getOptionsArgument(i).hasPropertyWrite(name, result)
   }
 
-  /**
-   * Holds if the `i`th argument of this invocation is an object literal set to `result`.
-   */
   pragma[noinline]
   private ObjectLiteralNode getOptionsArgument(int i) { result.flowsTo(getArgument(i)) }
 

Original file line number	Diff line number	Diff line change
`@@ -165,9 +165,6 @@ class InvokeNode extends DataFlow::SourceNode {`
`165`	`165`	`getOptionsArgument(i).hasPropertyWrite(name, result)`
`166`	`166`	`}`
`167`	`167`
`168`		`- /**`
`169`		- * Holds if the `i`th argument of this invocation is an object literal set to `result`.
`170`		`- */`
`171`	`168`	`pragma[noinline]`
`172`	`169`	`private ObjectLiteralNode getOptionsArgument(int i) { result.flowsTo(getArgument(i)) }`
`173`	`170`