Implement cookie attributes for cases in which a raw header is set

joefarebrother · joefarebrother · commit 9ad6c8c5eb2f · 2024-07-23T10:14:16.000+01:00
diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll
@@ -1250,17 +1250,70 @@ module Http {
         /**
          * Holds if the `Secure` flag of the cookie is known to have a value of `b`.
          */
-        predicate hasSecureFlag(boolean b) { none() }
+        predicate hasSecureFlag(boolean b) {
+          exists(this.getHeaderArg()) and
+          (
+            exists(StringLiteral sl |
+              sl.getText().regexpMatch("(?i).*;\\s*secure;.*") and
+              TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
+              b = true
+            )
+            or
+            exists(StringLiteral sl |
+              not sl.getText().regexpMatch("(?i).*;\\s*secure;.*") and
+              DataFlow::localFlow(DataFlow::exprNode(sl), this.getHeaderArg()) and
+              b = false
+            )
+          )
+        }
 
         /**
          * Holds if the `HttpOnly` flag of the cookie is known to have a value of `b`.
          */
-        predicate hasHttpOnlyFlag(boolean b) { none() }
+        predicate hasHttpOnlyFlag(boolean b) {
+          exists(this.getHeaderArg()) and
+          (
+            exists(StringLiteral sl |
+              sl.getText().regexpMatch("(?i).*;\\s*httponly;.*") and
+              TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
+              b = true
+            )
+            or
+            exists(StringLiteral sl |
+              not sl.getText().regexpMatch("(?i).*;\\s*httponly;.*") and
+              DataFlow::localFlow(DataFlow::exprNode(sl), this.getHeaderArg()) and
+              b = false
+            )
+          )
+        }
 
         /**
          * Holds if the `SameSite` flag of the cookie is known to have a value of `b`.
          */
-        predicate hasSameSiteFlag(boolean b) { none() }
+        // TODO: b could be a newtype with 3 values indicating Strict,Lax,or None
+        // currently, Strict and Lax are represented with true and None is represented with false.
+        predicate hasSameSiteFlag(boolean b) {
+          exists(this.getHeaderArg()) and
+          (
+            exists(StringLiteral sl |
+              sl.getText().regexpMatch("(?i).*;\\s*samesite=(strict|lax);.*") and
+              TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
+              b = true
+            )
+            or
+            exists(StringLiteral sl |
+              sl.getText().regexpMatch("(?i).*;\\s*samesite=none;.*") and
+              TaintTracking::localTaint(DataFlow::exprNode(sl), this.getHeaderArg()) and
+              b = false
+            )
+            or
+            exists(StringLiteral sl |
+              not sl.getText().regexpMatch("(?i).*;\\s*samesite=(strict|lax|none);.*") and
+              DataFlow::localFlow(DataFlow::exprNode(sl), this.getHeaderArg()) and
+              b = true // Lax is the default
+            )
+          )
+        }
       }
     }
 
diff --git a/python/ql/src/experimental/Security/CWE-614/InsecureCookie.ql b/python/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
@@ -17,7 +17,6 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import experimental.semmle.python.Concepts
 import semmle.python.Concepts
-import experimental.semmle.python.CookieHeader
 
 from Http::Server::CookieWrite cookie, string alert
 where
diff --git a/python/ql/src/experimental/semmle/python/CookieHeader.qll b/python/ql/src/experimental/semmle/python/CookieHeader.qll
