Extract to predicate isCookieWithSensitiveName

Author: edvraa

csharp/ql/src/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore.ql

@@ -29,11 +29,7 @@ where
     |
       config.hasFlow(source, sink)
     ) and
-    // It is a sensitive cookie name
-    exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
-      dataflow.hasFlow(source, sink) and
-      sink.asExpr() = mc.getArgument(0)
-    ) and
+    isCookieWithSensitiveName(mc.getArgument(0)) and
     // Passed as third argument to `IResponseCookies.Append`
     exists(
       CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,

csharp/ql/src/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb.ql

@@ -21,9 +21,5 @@ where
   getAValueForProp(oc, a, "HttpOnly") = val and
   val.getValue() = "false" and
   oc.getType() instanceof SystemWebHttpCookie and
-  // It is a sensitive cookie name
-  exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
-    dataflow.hasFlow(source, sink) and
-    sink.asExpr() = oc.getArgument(0)
-  )
+  isCookieWithSensitiveName(oc.getArgument(0))
 select a.getRValue(), "Cookie attribute 'HttpOnly' is set to false."

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore.ql

@@ -26,12 +26,8 @@ where
   |
     config.hasFlow(source, sink)
   ) and
-  // It is a sensitive cookie name
-  exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
-    iResponse.getAppendMethod() = mc.getTarget() and
-    dataflow.hasFlow(source, sink) and
-    sink.asExpr() = mc.getArgument(0)
-  ) and
+  iResponse.getAppendMethod() = mc.getTarget() and
+  isCookieWithSensitiveName(mc.getArgument(0)) and
   (
     // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
     exists(ObjectCreation oc |
@@ -48,12 +44,8 @@ where
     )
     or
     // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
-    exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
-      mc = c and
-      mc.getNumberOfArguments() < 3 and
-      // It is a sensitive cookie name
-      dataflow.hasFlow(source, sink) and
-      sink.asExpr() = mc.getArgument(0)
-    )
+    mc = c and
+    mc.getNumberOfArguments() < 3 and
+    isCookieWithSensitiveName(mc.getArgument(0))
   )
 select c, "Cookie attribute 'HttpOnly' is not set to true."

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb.ql

@@ -27,9 +27,5 @@ where
     element instanceof HttpCookiesElement and
     element.(HttpCookiesElement).isHttpOnlyCookies()
   ) and
-  // it is a cookie with a sensitive name
-  exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
-    dataflow.hasFlow(source, sink) and
-    sink.asExpr() = oc.getArgument(0)
-  )
+  isCookieWithSensitiveName(oc.getArgument(0))
 select oc, "Cookie attribute 'HttpOnly' is not set to true."

csharp/ql/src/semmle/code/csharp/dataflow/flowsources/AuthCookie.qll

@@ -5,10 +5,20 @@
 import csharp
 import semmle.code.csharp.frameworks.microsoft.AspNetCore
 
+/**
+ * Holds if the expression is a variable with a sensitive name.
+ */
+predicate isCookieWithSensitiveName(Expr cookieExpr) {
+  exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
+    dataflow.hasFlow(source, sink) and
+    sink.asExpr() = cookieExpr
+  )
+}
+
 /**
  * Tracks if a variable with a sensitive name is used as an argument.
  */
-class AuthCookieNameConfiguration extends DataFlow::Configuration {
+private class AuthCookieNameConfiguration extends DataFlow::Configuration {
   AuthCookieNameConfiguration() { this = "AuthCookieNameConfiguration" }
 
   private predicate isAuthVariable(Expr expr) {