comments

Author: edvraa

csharp/ql/src/Security Features/CWE-614/RequireSSL.ql

@@ -17,6 +17,8 @@ import csharp
 import semmle.code.asp.WebConfig
 import semmle.code.csharp.frameworks.system.Web
 
+// the query is a subset of `cs/web/cookie-secure-not-set` and
+// should be removed once it is promoted from experimental
 from XMLElement element
 where
   element instanceof FormsElement and

csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql

@@ -63,6 +63,7 @@ where
         // the property wasn't explicitly set, so a default value from config is used
         not isPropertySet(oc, "Secure") and
         // the default in config is not set to `true`
+        // the `exists` below covers the `cs/web/cookie-secure-not-set`
         not exists(XMLElement element |
           element instanceof FormsElement and
           element.(FormsElement).isRequireSSL()

csharp/ql/src/semmle/code/asp/WebConfig.qll

@@ -70,28 +70,40 @@ class FormsElement extends XMLElement {
     this = any(SystemWebXMLElement sw).getAChild("authentication").getAChild("forms")
   }
 
+  /**
+   * Gets attribute's `requireSSL` value.
+   */
   string getRequireSSL() { result = getAttribute("requireSSL").getValue().trim().toLowerCase() }
 
+  /**
+   * Holds if `requireSSL` value is true.
+   */
   predicate isRequireSSL() { getRequireSSL() = "true" }
 }
 
 /** A `<httpCookies>` tag in an ASP.NET configuration file. */
 class HttpCookiesElement extends XMLElement {
   HttpCookiesElement() { this = any(SystemWebXMLElement sw).getAChild("httpCookies") }
 
+  /**
+   * Gets attribute's `httpOnlyCookies` value.
+   */
   string getHttpOnlyCookies() {
     result = getAttribute("httpOnlyCookies").getValue().trim().toLowerCase()
   }
 
   /**
-   * Holds if there any chance that `httpOnlyCookies` is set to `true`.
+   * Holds if there is any chance that `httpOnlyCookies` is set to `true`.
    */
   predicate isHttpOnlyCookies() { getHttpOnlyCookies() = "true" }
 
+  /**
+   * Gets attribute's `requireSSL` value.
+   */
   string getRequireSSL() { result = getAttribute("requireSSL").getValue().trim().toLowerCase() }
 
   /**
-   * Holds if there any chance that `requireSSL` is set to `true` either globally or for Forms.
+   * Holds if there is any chance that `requireSSL` is set to `true` either globally or for Forms.
    */
   predicate isRequireSSL() {
     getRequireSSL() = "true"

csharp/ql/src/semmle/code/csharp/dataflow/flowsources/AuthCookie.qll

@@ -141,10 +141,16 @@ class OnAppendCookieHttpOnlyTrackingConfig extends OnAppendCookieTrackingConfig
   override string propertyName() { result = "HttpOnly" }
 }
 
+/**
+ * Tracks if a callback used in `OnAppendCookie` sets a cookie property to `true`.
+ */
 abstract class OnAppendCookieTrackingConfig extends DataFlow::Configuration {
   bindingset[this]
   OnAppendCookieTrackingConfig() { any() }
 
+  /**
+   * Specifies the cookie property name to track.
+   */
   abstract string propertyName();
 
   override predicate isSource(DataFlow::Node source) {