Update stub classes and qldoc

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql

@@ -82,8 +82,8 @@ class CookieClass extends RefType {
   }
 }
 
-/** Holds if the `expr` is `true` or a variable that is ever assigned `true`. */
-// This could be a very large result set if computed out of context
+/** Holds if `expr` is any boolean-typed expression other than literal `false`. */
+// Inlined because this could be a very large result set if computed out of context
 pragma[inline]
 predicate mayBeBooleanTrue(Expr expr) {
   expr.getType() instanceof BooleanType and
@@ -123,11 +123,11 @@ predicate isTestMethod(MethodAccess ma) {
 }
 
 /**
- * A taint configuration tracking flow of a method or a wrapper method that sets the `HttpOnly`
- * flag, or one that removes a cookie, to a `ServletResponse.addCookie` call.
+ * A taint configuration tracking flow of a method that sets the `HttpOnly` flag,
+ * or one that removes a cookie, to a `ServletResponse.addCookie` call.
  */
-class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
-  SetHttpOnlyInCookieConfiguration() { this = "SetHttpOnlyInCookieConfiguration" }
+class SetHttpOnlyOrRemovesCookieConfiguration extends TaintTracking2::Configuration {
+  SetHttpOnlyOrRemovesCookieConfiguration() { this = "SetHttpOnlyOrRemovesCookieConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
     source.asExpr() =
@@ -150,7 +150,7 @@ class CookieResponseSink extends DataFlow::ExprNode {
       (
         ma.getMethod() instanceof ResponseAddCookieMethod and
         this.getExpr() = ma.getArgument(0) and
-        not exists(SetHttpOnlyInCookieConfiguration cc | cc.hasFlowTo(this))
+        not exists(SetHttpOnlyOrRemovesCookieConfiguration cc | cc.hasFlowTo(this))
         or
         ma instanceof SetCookieMethodAccess and
         this.getExpr() = ma.getArgument(1) and

java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java

@@ -137,7 +137,7 @@ public void addCookie14(HttpServletRequest request, HttpServletResponse response
         response.addCookie(createCookie("refresh_token", refreshToken, true));
     }
 
-    // BAD - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
+    // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
     public void addCookie15(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
         response.addCookie(createCookie("refresh_token", refreshToken, false));
     }

java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java

@@ -125,7 +125,7 @@ public static Cookie valueOf(final String value) {
      * @return the cookie name.
      */
     public String getName() {
-        return name;
+        return null;
     }
 
     /**
@@ -134,7 +134,7 @@ public String getName() {
      * @return the cookie value.
      */
     public String getValue() {
-        return value;
+        return null;
     }
 
     /**
@@ -143,7 +143,7 @@ public String getValue() {
      * @return the cookie version.
      */
     public int getVersion() {
-        return version;
+        return -1;
     }
 
     /**
@@ -152,7 +152,7 @@ public int getVersion() {
      * @return the cookie domain.
      */
     public String getDomain() {
-        return domain;
+        return null;
     }
 
     /**
@@ -161,6 +161,6 @@ public String getDomain() {
      * @return the cookie path.
      */
     public String getPath() {
-        return path;
+        return null;
     }
 }

java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java

@@ -24,95 +24,51 @@
 package javax.servlet.http;
 
 public class Cookie implements Cloneable {
-    private String name; // NAME= ... "$Name" style is reserved
-    private String value; // value of NAME
-    private String comment; // ;Comment=VALUE ... describes cookie's use
-    private String domain; // ;Domain=VALUE ... domain that sees cookie
-    private int maxAge = -1; // ;Max-Age=VALUE ... cookies auto-expire
-    private String path; // ;Path=VALUE ... URLs that see the cookie
-    private boolean secure; // ;Secure ... e.g. use SSL
-    private int version = 0; // ;Version=1 ... means RFC 2109++ style
-    private boolean isHttpOnly = false;
 
     public Cookie(String name, String value) {
-        this.name = name;
-        this.value = value;
     }
     public void setComment(String purpose) {
-        comment = purpose;
     }
     public String getComment() {
-        return comment;
+        return null;
     }
     public void setDomain(String pattern) {
-        domain = pattern.toLowerCase(); // IE allegedly needs this
     }
     public String getDomain() {
-        return domain;
+        return null;
     }
     public void setMaxAge(int expiry) {
-        maxAge = expiry;
     }
     public int getMaxAge() {
-        return maxAge;
+        return -1;
     }
     public void setPath(String uri) {
-        path = uri;
     }
     public String getPath() {
-        return path;
+        return null;
     }
     public void setSecure(boolean flag) {
-        secure = flag;
     }
     public boolean getSecure() {
-        return secure;
+        return false;
     }
     public String getName() {
-        return name;
+        return null;
     }
     public void setValue(String newValue) {
-        value = newValue;
     }
     public String getValue() {
-        return value;
+        return null;
     }
     public int getVersion() {
-        return version;
+        return -1;
     }
     public void setVersion(int v) {
     }
-
-    /**
-     * Marks or unmarks this Cookie as <i>HttpOnly</i>.
-     *
-     * <p>If <tt>isHttpOnly</tt> is set to <tt>true</tt>, this cookie is
-     * marked as <i>HttpOnly</i>, by adding the <tt>HttpOnly</tt> attribute
-     * to it.
-     *
-     * <p><i>HttpOnly</i> cookies are not supposed to be exposed to
-     * client-side scripting code, and may therefore help mitigate certain
-     * kinds of cross-site scripting attacks.
-     *
-     * @param isHttpOnly true if this cookie is to be marked as
-     * <i>HttpOnly</i>, false otherwise
-     *
-     * @since Servlet 3.0
-     */
     public void setHttpOnly(boolean isHttpOnly) {
-        this.isHttpOnly = isHttpOnly;
     }
- 
-    /**
-     * Checks whether this Cookie has been marked as <i>HttpOnly</i>.
-     *
-     * @return true if this Cookie has been marked as <i>HttpOnly</i>,
-     * false otherwise
-     *
-     * @since Servlet 3.0
-     */
     public boolean isHttpOnly() {
-        return isHttpOnly;
+        return false;
     }
 
     /**