Single Secure query

Author: edvraa

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore.qhelp

@@ -13,7 +13,8 @@ Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious s
 <recommendation>
 <p>
 Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
-them not accessible to JavaScript.
+them not accessible to JavaScript. In ASP.NET case it is also possible to set the attribute via <code>&lt;httpCookies&gt;</code> element
+of <code>web.config</code> with the attribute <code>httpOnlyCookies="true"</code>.
 </p>
 </recommendation>
 

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore.ql

@@ -7,7 +7,7 @@
  * @kind problem
  * @problem.severity warning
  * @precision high
- * @id cs/web/httponly-not-set
+ * @id cs/web/cookie-httponly-not-set
  * @tags security
  *       external/cwe/cwe-1004
  */

csharp/ql/src/experimental/Security Features/CWE-614/RequireSSLAspNetCore.qhelp

@@ -12,14 +12,19 @@ cookies are sent via HTTP, not HTTPS.
 
 <recommendation>
 <p>
-When using cookies ensure that HTTPS is used by setting the property <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> to <code>true</code>.
+In ASP.NET case when using cookies ensure that HTTPS is used by setting the property <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> to <code>true</code>.
+</p>
+<p>
+In ASP.NET Core case when using cookies, ensure that SSL is used, either via the <code>&lt;forms&gt;</code> attribute above, or
+the <code>&lt;httpCookies&gt;</code> element, with the attribute <code>requireSSL="true"</code>. It is also possible to require cookies
+to use SSL programmatically, by setting the property <code>System.Web.HttpCookie.Secure</code> to <code>true</code>.
 </p>
 </recommendation>
 
 <example>
 
 <p>
-In the example below to <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> is set to <code>true</code> programmatically.
+In the example below <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> is set to <code>true</code> programmatically.
 </p>
 
 <sample src="secureflagcore.cs" />
@@ -30,12 +35,21 @@ In the following example <code>CookiePolicyOptions</code> are set programmatical
 
 <sample src="cookiepolicyoptions.cs" />
 
+<p>
+In the example below <code>System.Web.HttpCookie.Secure</code> is set to <code>true</code> programmatically.
+</p>
+
+<sample src="secureflag.cs" />
+
 </example>
 
 <references>
 
-<li>MSDN: <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.secure">CookieOptions.Secure Property</a></li>
+<li><a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.secure">CookieOptions.Secure Property</a></li>
 <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header</li>
+<li><a href="https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl(v=vs.110).aspx">FormsAuthentication.RequireSSL Property</a></li>
+<li><a href="https://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.100).aspx">forms Element for authentication</a></li>
+<li><a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element</a></li>
 
 </references>
 </qhelp>

csharp/ql/src/experimental/Security Features/CWE-614/RequireSSLAspNetCore.ql

@@ -5,48 +5,113 @@
  *              is used at all times.
  * @kind problem
  * @problem.severity error
- * @precision medium
- * @id cs/web/cookie-secure-not-set-aspnetcore
+ * @precision high
+ * @id cs/web/cookie-secure-not-set
  * @tags security
  *       external/cwe/cwe-319
  *       external/cwe/cwe-614
  */
 
 import csharp
+import semmle.code.asp.WebConfig
+import semmle.code.csharp.frameworks.system.Web
 import semmle.code.csharp.frameworks.microsoft.AspNetCore
 import semmle.code.csharp.dataflow.flowsources.AuthCookie
 
-from Call c
+from Expr secureSink
 where
-  // default is not configured or is not set to `Always` or `SameAsRequest`
-  not (
-    getAValueForCookiePolicyProp("Secure").getValue() = "0" or
-    getAValueForCookiePolicyProp("Secure").getValue() = "1"
-  ) and
-  // there is no callback `OnAppendCookie` that sets `Secure` to true
-  not exists(OnAppendCookieSecureTrackingConfig config, DataFlow::Node source, DataFlow::Node sink |
-    config.hasFlow(source, sink)
-  ) and
-  (
-    // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
-    exists(ObjectCreation oc |
-      oc = c and
-      oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-      not isPropertySet(oc, "Secure") and
-      exists(
-        CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
-        DataFlow::Node append
+  exists(Call c |
+    secureSink = c and
+    (
+      // default is not configured or is not set to `Always` or `SameAsRequest`
+      not (
+        getAValueForCookiePolicyProp("Secure").getValue() = "0" or
+        getAValueForCookiePolicyProp("Secure").getValue() = "1"
+      ) and
+      // there is no callback `OnAppendCookie` that sets `Secure` to true
+      not exists(
+        OnAppendCookieSecureTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
       |
-        cookieTracking.hasFlow(creation, append) and
-        creation.asExpr() = oc
+        config.hasFlow(source, sink)
+      ) and
+      (
+        // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+        exists(ObjectCreation oc |
+          oc = c and
+          oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+          not isPropertySet(oc, "Secure") and
+          exists(
+            CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
+            DataFlow::Node append
+          |
+            cookieTracking.hasFlow(creation, append) and
+            creation.asExpr() = oc
+          )
+        )
+        or
+        // IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
+        exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
+          mc = c and
+          iResponse.getAppendMethod() = mc.getTarget() and
+          mc.getNumberOfArguments() < 3
+        )
+      )
+      or
+      exists(ObjectCreation oc |
+        oc = c and
+        oc.getType() instanceof SystemWebHttpCookie and
+        // the property wasn't explicitly set, so a default value from config is used
+        not isPropertySet(oc, "Secure") and
+        // the default in config is not set to `true`
+        not exists(XMLElement element |
+          element instanceof FormsElement and
+          element.(FormsElement).isRequireSSL()
+          or
+          element instanceof HttpCookiesElement and
+          element.(HttpCookiesElement).isRequireSSL()
+        )
       )
     )
-    or
-    // IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
-    exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
-      mc = c and
-      iResponse.getAppendMethod() = mc.getTarget() and
-      mc.getNumberOfArguments() < 3
+  )
+  or
+  exists(Assignment a, Expr val |
+    secureSink = a.getRValue() and
+    (
+      exists(ObjectCreation oc |
+        getAValueForProp(oc, a, "Secure") = val and
+        val.getValue() = "false" and
+        (
+          oc.getType() instanceof SystemWebHttpCookie
+          or
+          oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+          // there is no callback `OnAppendCookie` that sets `Secure` to true
+          not exists(
+            OnAppendCookieSecureTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
+          |
+            config.hasFlow(source, sink)
+          ) and
+          // the cookie option is passed to `Append`
+          exists(
+            CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
+            DataFlow::Node append
+          |
+            cookieTracking.hasFlow(creation, append) and
+            creation.asExpr() = oc
+          )
+        )
+      )
+      or
+      exists(PropertyWrite pw |
+        (
+          pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+          pw.getProperty().getDeclaringType() instanceof
+            MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+        ) and
+        pw.getProperty().getName() = "SecurePolicy" and
+        a.getLValue() = pw and
+        DataFlow::localExprFlow(val, a.getRValue()) and
+        val.getValue() = "2" // None
+      )
     )
   )
-select c, "Cookie attribute 'Secure' is not set to true."
+select secureSink, "Cookie attribute 'Secure' is not set to true."