Query to check sensitive cookies without the HttpOnly flag set

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.java

@@ -0,0 +1,44 @@
+class SensitiveCookieNotHttpOnly {
+    // GOOD - Create a sensitive cookie with the `HttpOnly` flag set.
+    public void addCookie(String jwt_token, HttpServletRequest request, HttpServletResponse response) {
+        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        jwtCookie.setPath("/");
+        jwtCookie.setMaxAge(3600*24*7);
+        jwtCookie.setHttpOnly(true);
+        response.addCookie(jwtCookie);
+    }
+
+    // BAD - Create a sensitive cookie without the `HttpOnly` flag set.
+    public void addCookie2(String jwt_token, String userId, HttpServletRequest request, HttpServletResponse response) {
+        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        jwtCookie.setPath("/");
+        jwtCookie.setMaxAge(3600*24*7);
+        response.addCookie(jwtCookie);
+    }
+
+    // GOOD - Set a sensitive cookie header with the `HttpOnly` flag set.
+    public void addCookie3(String authId, HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure");
+    }
+
+    // BAD - Set a sensitive cookie header without the `HttpOnly` flag set.
+    public void addCookie4(String authId, HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("Set-Cookie", "token=" +authId + ";Secure");
+    }
+    
+    // GOOD - Set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through string concatenation.
+    public void addCookie5(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true) + ";HttpOnly");
+    }
+
+    // BAD - Set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` without the `HttpOnly` flag set.
+    public void addCookie6(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true).toString());
+    }
+
+    // GOOD - Set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through the constructor.
+    public void addCookie7(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true);
+        response.setHeader("Set-Cookie", accessKeyCookie.toString());
+    }
+}

java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp

@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Cross-Site Scripting (XSS) is categorized as one of the OWASP Top 10 Security Vulnerabilities. The <code>HttpOnly</code> flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header for a sensitive cookie helps mitigate the risk associated with XSS where an attacker's script code attempts to read the contents of a cookie and exfiltrate information obtained.</p>
+  </overview>
+
+  <recommendation>
+    <p>Use the <code>HttpOnly</code> flag when generating a cookie containing sensitive information to help mitigate the risk of client side script accessing the protected cookie.</p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows two ways of generating sensitive cookies. In the 'BAD' cases, the <code>HttpOnly</code> flag is not set. In the 'GOOD' cases, the <code>HttpOnly</code> flag is set.</p>
+    <sample src="SensitiveCookieNotHttpOnly.java" />
+  </example>
+
+  <references>
+    <li>
+      PortSwigger:
+      <a href="https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set">Cookie without HttpOnly flag set</a>
+    </li>
+    <li>
+      OWASP:
+      <a href="https://owasp.org/www-community/HttpOnly">HttpOnly</a>
+    </li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql

@@ -0,0 +1,194 @@
+/**
+ * @name Sensitive cookies without the HttpOnly response header set
+ * @description Sensitive cookies without 'HttpOnly' leaves session cookies vulnerable to an XSS attack.
+ * @kind path-problem
+ * @id java/sensitive-cookie-not-httponly
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import java
+import semmle.code.java.frameworks.Servlets
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/** Gets a regular expression for matching common names of sensitive cookies. */
+string getSensitiveCookieNameRegex() { result = "(?i).*(auth|session|token|key|credential).*" }
+
+/** Holds if a string is concatenated with the name of a sensitive cookie. */
+predicate isSensitiveCookieNameExpr(Expr expr) {
+  expr.(StringLiteral)
+      .getRepresentedString()
+      .toLowerCase()
+      .regexpMatch(getSensitiveCookieNameRegex()) or
+  isSensitiveCookieNameExpr(expr.(AddExpr).getAnOperand())
+}
+
+/** Holds if a string is concatenated with the `HttpOnly` flag. */
+predicate hasHttpOnlyExpr(Expr expr) {
+  expr.(StringLiteral).getRepresentedString().toLowerCase().matches("%httponly%") or
+  hasHttpOnlyExpr(expr.(AddExpr).getAnOperand())
+}
+
+/** The method call `Set-Cookie` of `addHeader` or `setHeader`. */
+class SetCookieMethodAccess extends MethodAccess {
+  SetCookieMethodAccess() {
+    (
+      this.getMethod() instanceof ResponseAddHeaderMethod or
+      this.getMethod() instanceof ResponseSetHeaderMethod
+    ) and
+    this.getArgument(0).(StringLiteral).getRepresentedString().toLowerCase() = "set-cookie"
+  }
+}
+
+/** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
+class SensitiveCookieNameExpr extends Expr {
+  SensitiveCookieNameExpr() {
+    isSensitiveCookieNameExpr(this) and
+    (
+      exists(
+        ClassInstanceExpr cie // new Cookie("jwt_token", token)
+      |
+        (
+          cie.getConstructor().getDeclaringType().hasQualifiedName("javax.servlet.http", "Cookie") or
+          cie.getConstructor()
+              .getDeclaringType()
+              .getASupertype*()
+              .hasQualifiedName("javax.ws.rs.core", "Cookie") or
+          cie.getConstructor()
+              .getDeclaringType()
+              .getASupertype*()
+              .hasQualifiedName("jakarta.ws.rs.core", "Cookie")
+        ) and
+        DataFlow::localExprFlow(this, cie.getArgument(0))
+      )
+      or
+      exists(
+        SetCookieMethodAccess ma // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
+      |
+        DataFlow::localExprFlow(this, ma.getArgument(1))
+      )
+    )
+  }
+}
+
+/** Sink of adding a cookie to the HTTP response. */
+class CookieResponseSink extends DataFlow::ExprNode {
+  CookieResponseSink() {
+    exists(MethodAccess ma |
+      (
+        ma.getMethod() instanceof ResponseAddCookieMethod or
+        ma instanceof SetCookieMethodAccess
+      ) and
+      ma.getAnArgument() = this.getExpr()
+    )
+  }
+}
+
+/** Holds if the `node` is a method call of `setHttpOnly(true)` on a cookie. */
+predicate setHttpOnlyMethodAccess(DataFlow::Node node) {
+  exists(
+    MethodAccess addCookie, Variable cookie, MethodAccess m // jwtCookie.setHttpOnly(true)
+  |
+    addCookie.getMethod() instanceof ResponseAddCookieMethod and
+    addCookie.getArgument(0) = cookie.getAnAccess() and
+    m.getMethod().getName() = "setHttpOnly" and
+    m.getArgument(0).(BooleanLiteral).getBooleanValue() = true and
+    m.getQualifier() = cookie.getAnAccess() and
+    node.asExpr() = cookie.getAnAccess()
+  )
+}
+
+/** Holds if the `node` is a method call of `Set-Cookie` header with the `HttpOnly` flag whose cookie name is sensitive. */
+predicate setHttpOnlyInSetCookie(DataFlow::Node node) {
+  exists(SetCookieMethodAccess sa |
+    hasHttpOnlyExpr(node.asExpr()) and
+    DataFlow::localExprFlow(node.asExpr(), sa.getArgument(1))
+  )
+}
+
+/** Holds if the `node` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
+predicate setHttpOnlyInNewCookie(DataFlow::Node node) {
+  exists(ClassInstanceExpr cie |
+    cie.getConstructor().getDeclaringType().hasName("NewCookie") and
+    DataFlow::localExprFlow(node.asExpr(), cie.getArgument(0)) and
+    (
+      cie.getNumArgument() = 6 and cie.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+      or
+      cie.getNumArgument() = 8 and
+      cie.getArgument(6).getType() instanceof BooleanType and
+      cie.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
+      or
+      cie.getNumArgument() = 10 and cie.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    )
+  )
+}
+
+/**
+ * Holds if the node is a test method indicated by:
+ *    a) in a test directory such as `src/test/java`
+ *    b) in a test package whose name has the word `test`
+ *    c) in a test class whose name has the word `test`
+ *    d) in a test class implementing a test framework such as JUnit or TestNG
+ */
+predicate isTestMethod(DataFlow::Node node) {
+  exists(MethodAccess ma, Method m |
+    node.asExpr() = ma.getAnArgument() and
+    m = ma.getEnclosingCallable() and
+    (
+      m.getDeclaringType().getName().toLowerCase().matches("%test%") or // Simple check to exclude test classes to reduce FPs
+      m.getDeclaringType().getPackage().getName().toLowerCase().matches("%test%") or // Simple check to exclude classes in test packages to reduce FPs
+      exists(m.getLocation().getFile().getAbsolutePath().indexOf("/src/test/java")) or //  Match test directory structure of build tools like maven
+      m instanceof TestMethod // Test method of a test case implementing a test framework such as JUnit or TestNG
+    )
+  )
+}
+
+/** A taint configuration tracking flow from a sensitive cookie without HttpOnly flag set to its HTTP response. */
+class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
+  MissingHttpOnlyConfiguration() { this = "MissingHttpOnlyConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof SensitiveCookieNameExpr
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CookieResponseSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    // cookie.setHttpOnly(true)
+    setHttpOnlyMethodAccess(node)
+    or
+    // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
+    setHttpOnlyInSetCookie(node)
+    or
+    // new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true)
+    setHttpOnlyInNewCookie(node)
+    or
+    // Test class or method
+    isTestMethod(node)
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(
+      ClassInstanceExpr cie // `NewCookie` constructor
+    |
+      cie.getAnArgument() = pred.asExpr() and
+      cie = succ.asExpr() and
+      cie.getConstructor().getDeclaringType().hasName("NewCookie")
+    )
+    or
+    exists(
+      MethodAccess ma // `toString` call on a cookie object
+    |
+      ma.getQualifier() = pred.asExpr() and
+      ma.getMethod().hasName("toString") and
+      ma = succ.asExpr()
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, MissingHttpOnlyConfiguration c
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ doesn't have the HttpOnly flag set.", source.getNode(),
+  "This sensitive cookie"

java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected

@@ -0,0 +1,13 @@
+edges
+| SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) |
+nodes
+| SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | semmle.label | "jwt_token" : String |
+| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | semmle.label | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | semmle.label | ... + ... |
+| SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | semmle.label | toString(...) |
+| SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+#select
+| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" | This sensitive cookie |

java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java

@@ -0,0 +1,57 @@
+import java.io.IOException;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+import javax.ws.rs.core.NewCookie;
+
+class SensitiveCookieNotHttpOnly {
+    // GOOD - Tests adding a sensitive cookie with the `HttpOnly` flag set.
+    public void addCookie(String jwt_token, HttpServletRequest request, HttpServletResponse response) {
+        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        jwtCookie.setPath("/");
+        jwtCookie.setMaxAge(3600*24*7);
+        jwtCookie.setHttpOnly(true);
+        response.addCookie(jwtCookie);
+    }
+
+    // BAD - Tests adding a sensitive cookie without the `HttpOnly` flag set.
+    public void addCookie2(String jwt_token, String userId, HttpServletRequest request, HttpServletResponse response) {
+        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        Cookie userIdCookie =new Cookie("user_id", userId.toString());
+        jwtCookie.setPath("/");
+        userIdCookie.setPath("/");
+        jwtCookie.setMaxAge(3600*24*7);
+        userIdCookie.setMaxAge(3600*24*7);
+        response.addCookie(jwtCookie);
+        response.addCookie(userIdCookie);
+    }
+
+    // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set.
+    public void addCookie3(String authId, HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure");
+    }
+
+    // BAD - Tests set a sensitive cookie header without the `HttpOnly` flag set.
+    public void addCookie4(String authId, HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("Set-Cookie", "token=" +authId + ";Secure");
+    }
+    
+    // GOOD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through string concatenation.
+    public void addCookie5(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true) + ";HttpOnly");
+    }
+
+    // BAD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` without the `HttpOnly` flag set.
+    public void addCookie6(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true).toString());
+    }
+
+    // GOOD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through the constructor.
+    public void addCookie7(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true);
+        response.setHeader("Set-Cookie", accessKeyCookie.toString());
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql

java/ql/test/experimental/query-tests/security/CWE-1004/options

@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1