a new test for simple flow

Author: edvraa

javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected

@@ -1,7 +1,8 @@
 | test_cookie-session.js:12:9:16:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_cookie-session.js:30:9:30:21 | session(sess) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_cookie-session.js:39:9:39:22 | session(sess2) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_cookie-session.js:48:9:48:22 | session(sess2) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_cookie-session.js:48:9:48:22 | session(sess3) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_cookie-session.js:52:9:56:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_express-session.js:11:9:15:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_express-session.js:28:9:32:2 | session ... tter\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_httpserver.js:7:37:7:48 | "auth=ninja" | Cookie attribute 'HttpOnly' is not set to true. |

javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js

@@ -38,11 +38,19 @@ var sess2 = {
 sess2.httpOnly = false;
 app.use(session(sess2)) // BAD
 
-var sess2 = {
+var sess3 = {
     name: 'mycookie',
     keys: ['key1', 'key2'],
     httpOnly: true,
 }
 
-sess2.httpOnly = false;
-app.use(session(sess2)) // BAD, It is a session cookie, name doesn't matter
+sess3.httpOnly = false;
+app.use(session(sess3)) // BAD, It is a session cookie, name doesn't matter
+
+var flag = false
+var flag2 = flag
+app.use(session({
+    name: 'session',
+    keys: ['key1', 'key2'],
+    httpOnly: flag2 // BAD
+}))