From 9eef6243a3362c5775b36b294b6f28817929934b Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Mon, 3 Nov 2025 14:54:35 +0000 Subject: [PATCH 1/5] Implement cookie write concepts and httponly query --- go/ql/lib/semmle/go/concepts/HTTP.qll | 92 +++++++++++++++++++ .../semmle/go/frameworks/stdlib/NetHttp.qll | 34 +++++++ .../lib/semmle/go/security/SecureCookies.qll | 79 ++++++++++++++++ .../CWE-1004/CookieWithoutHttpOnly.ql | 28 ++++++ 4 files changed, 233 insertions(+) create mode 100644 go/ql/lib/semmle/go/security/SecureCookies.qll create mode 100644 go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql diff --git a/go/ql/lib/semmle/go/concepts/HTTP.qll b/go/ql/lib/semmle/go/concepts/HTTP.qll index 9bf5b6a7ad84..0fdf5a68624d 100644 --- a/go/ql/lib/semmle/go/concepts/HTTP.qll +++ b/go/ql/lib/semmle/go/concepts/HTTP.qll @@ -380,4 +380,96 @@ module Http { /** Gets a node that is used in a check that is tested before this handler is run. */ predicate guardedBy(DataFlow::Node check) { super.guardedBy(check) } } + + /** Provides a class for modelling HTTP response cookie writes. */ + module CookieWrite { + /** + * An write of an HTTP Cookie to an HTTP response. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `HTTP::CookieWrite` instead. + */ + abstract class Range extends DataFlow::Node { + /** Gets the name of the cookie written. */ + abstract DataFlow::Node getName(); + + /** Gets the value of the cookie written. */ + abstract DataFlow::Node getValue(); + + /** Gets the `Secure` attribute of the cookie written. */ + abstract DataFlow::Node getSecure(); + + /** Gets the `HttpOnly` attribute of the cookie written. */ + abstract DataFlow::Node getHttpOnly(); + } + } + + /** + * An write of an HTTP Cookie to an HTTP response. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `HTTP::CookieWrite::Range` instead. + */ + class CookieWrite extends DataFlow::Node instanceof CookieWrite::Range { + /** Gets the name of the cookie written. */ + DataFlow::Node getName() { result = super.getName() } + + /** Gets the value of the cookie written. */ + DataFlow::Node getValue() { result = super.getValue() } + + /** Gets the `Secure` attribute of the cookie written. */ + DataFlow::Node getSecure() { result = super.getSecure() } + + /** Gets the `HttpOnly` attribute of the cookie written. */ + DataFlow::Node getHttpOnly() { result = super.getHttpOnly() } + } + + /** Provides a class for modelling the options of an HTTP cookie. */ + module CookieOptions { + /** + * An HTTP Cookie object. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `HTTP::CookieOptions` instead. + */ + abstract class Range extends DataFlow::Node { + /** Gets the node representing the cookie object for the options being set. */ + abstract DataFlow::Node getCookieOutput(); + + /** Gets the name of the cookie represented. */ + abstract DataFlow::Node getName(); + + /** Gets the value of the cookie represented. */ + abstract DataFlow::Node getValue(); + + /** Gets the `Secure` attribute of the cookie represented. */ + abstract DataFlow::Node getSecure(); + + /** Gets the `HttpOnly` attribute of the cookie represented. */ + abstract DataFlow::Node getHttpOnly(); + } + } + + /** + * An HTTP Cookie. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `HTTP::CookieOptions::Range` instead. + */ + class CookieOptions extends DataFlow::Node instanceof CookieOptions::Range { + /** Gets the node representing the cookie object for the options being set. */ + DataFlow::Node getCookieOutput() { result = super.getCookieOutput() } + + /** Gets the name of the cookie represented. */ + DataFlow::Node getName() { result = super.getName() } + + /** Gets the value of the cookie represented. */ + DataFlow::Node getValue() { result = super.getValue() } + + /** Gets the `Secure` attribute of the cookie represented. */ + DataFlow::Node getSecure() { result = super.getSecure() } + + /** Gets the `HttpOnly` attribute of the cookie represented. */ + DataFlow::Node getHttpOnly() { result = super.getHttpOnly() } + } } diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll index 88c9605502f6..f68d95181095 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll @@ -293,4 +293,38 @@ module NetHttp { override DataFlow::Node getAPathArgument() { result = this.getArgument(2) } } + + class CookieWrite extends Http::CookieWrite::Range, DataFlow::CallNode { + CookieWrite() { this.getTarget().hasQualifiedName(package("net/http", ""), "SetCookie") } + + override DataFlow::Node getName() { result = this.getArgument(1) } + + override DataFlow::Node getValue() { result = this.getArgument(1) } + + override DataFlow::Node getSecure() { result = this.getArgument(1) } + + override DataFlow::Node getHttpOnly() { result = this.getArgument(1) } + } + + class CookieFieldWrite extends Http::CookieOptions::Range { + Write w; + Field f; + DataFlow::Node written; + string fieldName; + + CookieFieldWrite() { + f.hasQualifiedName(package("net/http", ""), "Cookie", fieldName) and + w.writesField(this, f, written) + } + + override DataFlow::Node getCookieOutput() { result = this } + + override DataFlow::Node getName() { fieldName = "Name" and result = written } + + override DataFlow::Node getValue() { fieldName = "Value" and result = written } + + override DataFlow::Node getSecure() { fieldName = "Secure" and result = written } + + override DataFlow::Node getHttpOnly() { fieldName = "HttpOnly" and result = written } + } } diff --git a/go/ql/lib/semmle/go/security/SecureCookies.qll b/go/ql/lib/semmle/go/security/SecureCookies.qll new file mode 100644 index 000000000000..654acc81569f --- /dev/null +++ b/go/ql/lib/semmle/go/security/SecureCookies.qll @@ -0,0 +1,79 @@ +/** Provides classes and predicates for identifying HTTP cookies with insecure attributes. */ + +import go +import semmle.go.concepts.HTTP +import semmle.go.dataflow.DataFlow + +/** + * Holds if the expression or its value has a sensitive name + */ +private predicate isSensitiveExpr(Expr expr, string val) { + ( + val = expr.getStringValue() or + val = expr.(Name).getTarget().getName() + ) and + val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and + not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*") +} + +private module SensitiveCookieNameConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { isSensitiveExpr(source.asExpr(), _) } + + predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getName()) } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Http::CookieOptions co | co.getName() = pred and co.getCookieOutput() = succ) + } +} + +/** Tracks flow from sensitive names to HTTP cookie writes. */ +module SensitiveCookieNameFlow = DataFlow::Global; + +private module BooleanCookieSecureConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { exists(source.asExpr().getBoolValue()) } + + predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getSecure()) } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Http::CookieOptions co | co.getSecure() = pred and co.getCookieOutput() = succ) + } +} + +/** Tracks flow from boolean expressions to the `Secure` attribute HTTP cookie writes. */ +module BooleanCookieSecureFlow = DataFlow::Global; + +private module BooleanCookieHttpOnlyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { exists(source.asExpr().getBoolValue()) } + + predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getHttpOnly()) } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Http::CookieOptions co | co.getHttpOnly() = pred and co.getCookieOutput() = succ) + } +} + +/** Tracks flow from boolean expressions to the `HttpOnly` attribute HTTP cookie writes. */ +module BooleanCookieHttpOnlyFlow = DataFlow::Global; + +predicate isInsecureDefault(Http::CookieWrite cw) { + not BooleanCookieSecureFlow::flow(_, cw.getSecure()) +} + +predicate isNonHttpOnlyDefault(Http::CookieWrite cw) { + not BooleanCookieHttpOnlyFlow::flow(_, cw.getHttpOnly()) +} + +predicate isInsecureDirect(Http::CookieWrite cw, Expr boolFalse) { + BooleanCookieSecureFlow::flow(DataFlow::exprNode(boolFalse), cw.getSecure()) and + boolFalse.getBoolValue() = false +} + +predicate isNonHttpOnlyDirect(Http::CookieWrite cw, Expr boolFalse) { + BooleanCookieHttpOnlyFlow::flow(DataFlow::exprNode(boolFalse), cw.getHttpOnly()) and + boolFalse.getBoolValue() = false +} + +predicate isSensitiveCookie(Http::CookieWrite cw, Expr nameExpr, string name) { + SensitiveCookieNameFlow::flow(DataFlow::exprNode(nameExpr), cw.getName()) and + isSensitiveExpr(nameExpr, name) +} diff --git a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql new file mode 100644 index 000000000000..e61fd652680e --- /dev/null +++ b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql @@ -0,0 +1,28 @@ +/** + * @name 'HttpOnly' attribute is not set to true + * @description Omitting the 'HttpOnly' attribute for security sensitive data allows + * malicious JavaScript to steal it in case of XSS vulnerability. Always set + * 'HttpOnly' to 'true' to authentication related cookie to make it + * not accessible by JavaScript. + * @kind problem + * @problem.severity warning + * @precision high + * @id go/cookie-httponly-not-set + * @tags security + * experimental + * external/cwe/cwe-1004 + */ + +import go +import semmle.go.security.SecureCookies +import semmle.go.concepts.HTTP + +from Http::CookieWrite cw, Expr sensitiveNameExpr, string name +where + isSensitiveCookie(cw, sensitiveNameExpr, name) and + ( + isNonHttpOnlyDefault(cw) + or + isNonHttpOnlyDirect(cw, _) + ) +select cw, "Sensitive cookie $@ does not set HttpOnly to true", sensitiveNameExpr, name From 779768d389ca01e871e95af1a3a849c024b0b5cd Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 5 Nov 2025 09:57:26 +0000 Subject: [PATCH 2/5] Fixes, add secure query --- .../lib/semmle/go/security/SecureCookies.qll | 55 ++++++++++++++----- .../CWE-1004/CookieWithoutHttpOnly.ql | 19 +++---- .../Security/CWE-614/CookieWithoutSecure.ql | 18 ++++++ 3 files changed, 69 insertions(+), 23 deletions(-) create mode 100644 go/ql/src/Security/CWE-614/CookieWithoutSecure.ql diff --git a/go/ql/lib/semmle/go/security/SecureCookies.qll b/go/ql/lib/semmle/go/security/SecureCookies.qll index 654acc81569f..f700c0303371 100644 --- a/go/ql/lib/semmle/go/security/SecureCookies.qll +++ b/go/ql/lib/semmle/go/security/SecureCookies.qll @@ -27,10 +27,12 @@ private module SensitiveCookieNameConfig implements DataFlow::ConfigSig { } /** Tracks flow from sensitive names to HTTP cookie writes. */ -module SensitiveCookieNameFlow = DataFlow::Global; +module SensitiveCookieNameFlow = TaintTracking::Global; private module BooleanCookieSecureConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { exists(source.asExpr().getBoolValue()) } + predicate isSource(DataFlow::Node source) { + source.getType().getUnderlyingType() instanceof BoolType + } predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getSecure()) } @@ -39,11 +41,13 @@ private module BooleanCookieSecureConfig implements DataFlow::ConfigSig { } } -/** Tracks flow from boolean expressions to the `Secure` attribute HTTP cookie writes. */ -module BooleanCookieSecureFlow = DataFlow::Global; +/** Tracks flow from boolean expressions to the `Secure` attribute of HTTP cookie writes. */ +module BooleanCookieSecureFlow = TaintTracking::Global; private module BooleanCookieHttpOnlyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { exists(source.asExpr().getBoolValue()) } + predicate isSource(DataFlow::Node source) { + source.getType().getUnderlyingType() instanceof BoolType + } predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getHttpOnly()) } @@ -52,28 +56,53 @@ private module BooleanCookieHttpOnlyConfig implements DataFlow::ConfigSig { } } -/** Tracks flow from boolean expressions to the `HttpOnly` attribute HTTP cookie writes. */ -module BooleanCookieHttpOnlyFlow = DataFlow::Global; +/** Tracks flow from boolean expressions to the `HttpOnly` attribute of HTTP cookie writes. */ +module BooleanCookieHttpOnlyFlow = TaintTracking::Global; +/** Holds if `cw` has the `Secure` attribute left at its default value of `false`. */ predicate isInsecureDefault(Http::CookieWrite cw) { not BooleanCookieSecureFlow::flow(_, cw.getSecure()) } -predicate isNonHttpOnlyDefault(Http::CookieWrite cw) { - not BooleanCookieHttpOnlyFlow::flow(_, cw.getHttpOnly()) -} - +/** Holds if `cw` has the `Secure` attribute explicitly set to `false`, from the expression `boolFalse`. */ predicate isInsecureDirect(Http::CookieWrite cw, Expr boolFalse) { BooleanCookieSecureFlow::flow(DataFlow::exprNode(boolFalse), cw.getSecure()) and boolFalse.getBoolValue() = false } +/** Holds if `cw` has the `Secure` attribute set to `false`, either explicitly or by default. */ +predicate isInsecureCookie(Http::CookieWrite cw) { + isInsecureDefault(cw) or + isInsecureDirect(cw, _) +} + +/** Holds if `cw` has the `HttpOnly` attribute left at its default value of `false`. */ +predicate isNonHttpOnlyDefault(Http::CookieWrite cw) { + not BooleanCookieHttpOnlyFlow::flow(_, cw.getHttpOnly()) +} + +/** Holds if `cw` has the `HttpOnly` attribute explicitly set to `false`, from the expression `boolFalse`. */ predicate isNonHttpOnlyDirect(Http::CookieWrite cw, Expr boolFalse) { BooleanCookieHttpOnlyFlow::flow(DataFlow::exprNode(boolFalse), cw.getHttpOnly()) and boolFalse.getBoolValue() = false } -predicate isSensitiveCookie(Http::CookieWrite cw, Expr nameExpr, string name) { - SensitiveCookieNameFlow::flow(DataFlow::exprNode(nameExpr), cw.getName()) and +/** Holds if `cw` has the `HttpOnly` attribute set to `false`, either explicitly or by default. */ +predicate isNonHttpOnlyCookie(Http::CookieWrite cw) { + isNonHttpOnlyDefault(cw) or + isNonHttpOnlyDirect(cw, _) +} + +/** + * Holds if `cw` has the sensitive name `name`, from the expression `nameExpr`. + * `source` and `sink` represent the data flow path from the sensitive name expression to the cookie write. + */ +predicate isSensitiveCookie( + Http::CookieWrite cw, Expr nameExpr, string name, SensitiveCookieNameFlow::PathNode source, + SensitiveCookieNameFlow::PathNode sink +) { + SensitiveCookieNameFlow::flowPath(source, sink) and + source.getNode().asExpr() = nameExpr and + sink.getNode() = cw.getName() and isSensitiveExpr(nameExpr, name) } diff --git a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql index e61fd652680e..27f86d23dd2c 100644 --- a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql +++ b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql @@ -4,25 +4,24 @@ * malicious JavaScript to steal it in case of XSS vulnerability. Always set * 'HttpOnly' to 'true' to authentication related cookie to make it * not accessible by JavaScript. - * @kind problem + * @kind path-problem * @problem.severity warning * @precision high * @id go/cookie-httponly-not-set * @tags security - * experimental * external/cwe/cwe-1004 */ import go import semmle.go.security.SecureCookies import semmle.go.concepts.HTTP +import SensitiveCookieNameFlow::PathGraph -from Http::CookieWrite cw, Expr sensitiveNameExpr, string name +from + Http::CookieWrite cw, Expr sensitiveNameExpr, string name, + SensitiveCookieNameFlow::PathNode source, SensitiveCookieNameFlow::PathNode sink where - isSensitiveCookie(cw, sensitiveNameExpr, name) and - ( - isNonHttpOnlyDefault(cw) - or - isNonHttpOnlyDirect(cw, _) - ) -select cw, "Sensitive cookie $@ does not set HttpOnly to true", sensitiveNameExpr, name + isSensitiveCookie(cw, sensitiveNameExpr, name, source, sink) and + isNonHttpOnlyCookie(cw) +select cw, source, sink, "Sensitive cookie $@ does not set HttpOnly attribute to true.", + sensitiveNameExpr, name diff --git a/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql b/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql new file mode 100644 index 000000000000..635d2113f8df --- /dev/null +++ b/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql @@ -0,0 +1,18 @@ +/** + * @name 'Secure' attribute is not set to true + * @description todo + * @kind problem + * @problem.severity warning + * @precision high + * @id go/cookie-secure-not-set + * @tags security + * external/cwe/cwe-1004 + */ + +import go +import semmle.go.security.SecureCookies +import semmle.go.concepts.HTTP + +from Http::CookieWrite cw +where isInsecureCookie(cw) +select cw, "Cookie does not set Secure attribute to true" From 849361cce36c154aab9ea9e80aead0eb0653d2bb Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 5 Nov 2025 10:47:59 +0000 Subject: [PATCH 3/5] Add modeling for gin --- go/ql/lib/semmle/go/frameworks/Gin.qll | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 go/ql/lib/semmle/go/frameworks/Gin.qll diff --git a/go/ql/lib/semmle/go/frameworks/Gin.qll b/go/ql/lib/semmle/go/frameworks/Gin.qll new file mode 100644 index 000000000000..71ed5d931fa3 --- /dev/null +++ b/go/ql/lib/semmle/go/frameworks/Gin.qll @@ -0,0 +1,24 @@ +/** + * Provides classes for modeling the `github.com/gin-gonic/gin` package. + */ + +import go +import semmle.go.concepts.HTTP + +/** Provides models for the `gin-gonic/gin` package. */ +module Gin { + /** Gets the package name `github.com/gin-gonic/gin`. */ + string packagePath() { result = package("github.com/gin-gonic/gin", "") } + + private class GinCookieWrite extends Http::CookieWrite::Range, DataFlow::MethodCallNode { + GinCookieWrite() { this.getTarget().hasQualifiedName(packagePath(), "Context", "SetCookie") } + + override DataFlow::Node getName() { result = this.getArgument(0) } + + override DataFlow::Node getValue() { result = this.getArgument(1) } + + override DataFlow::Node getSecure() { result = this.getArgument(5) } + + override DataFlow::Node getHttpOnly() { result = this.getArgument(6) } + } +} From a68b7ca25005e5825f21feb3be309cfa4aff7bdd Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 6 Nov 2025 16:54:15 +0000 Subject: [PATCH 4/5] Add tests --- .../CWE-1004/CookieWithoutHttpOnly.expected | 139 ++++ .../CWE-1004/CookieWithoutHttpOnly.go | 136 ++++ .../CWE-1004/CookieWithoutHttpOnly.qlref | 2 + .../test/query-tests/Security/CWE-1004/go.mod | 8 + .../vendor/github.com/gin-gonic/gin/LICENSE | 21 + .../github.com/gin-gonic/gin/binding/stub.go | 12 + .../vendor/github.com/gin-gonic/gin/stub.go | 677 ++++++++++++++++++ .../github.com/gorilla/sessions/stub.go | 75 ++ .../Security/CWE-1004/vendor/modules.txt | 6 + .../CWE-614/CookieWithoutSecure.expected | 6 + .../Security/CWE-614/CookieWithoutSecure.go | 107 +++ .../CWE-614/CookieWithoutSecure.qlref | 2 + .../test/query-tests/Security/CWE-614/go.mod | 8 + .../vendor/github.com/gin-gonic/gin/LICENSE | 21 + .../github.com/gin-gonic/gin/binding/stub.go | 12 + .../vendor/github.com/gin-gonic/gin/stub.go | 677 ++++++++++++++++++ .../github.com/gorilla/sessions/stub.go | 75 ++ .../Security/CWE-614/vendor/modules.txt | 6 + 18 files changed, 1990 insertions(+) create mode 100644 go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected create mode 100644 go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.go create mode 100644 go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref create mode 100644 go/ql/test/query-tests/Security/CWE-1004/go.mod create mode 100644 go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE create mode 100644 go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go create mode 100644 go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go create mode 100644 go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go create mode 100644 go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt create mode 100644 go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.expected create mode 100644 go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.go create mode 100644 go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref create mode 100644 go/ql/test/query-tests/Security/CWE-614/go.mod create mode 100644 go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/LICENSE create mode 100644 go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/binding/stub.go create mode 100644 go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/stub.go create mode 100644 go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go create mode 100644 go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt diff --git a/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected new file mode 100644 index 000000000000..93988411db21 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected @@ -0,0 +1,139 @@ +#select +| CookieWithoutHttpOnly.go:14:2:14:22 | call to SetCookie | CookieWithoutHttpOnly.go:11:10:11:18 | "session" | CookieWithoutHttpOnly.go:14:20:14:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:11:10:11:18 | "session" | session | +| CookieWithoutHttpOnly.go:23:2:23:22 | call to SetCookie | CookieWithoutHttpOnly.go:19:13:19:21 | "session" | CookieWithoutHttpOnly.go:23:20:23:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:19:13:19:21 | "session" | session | +| CookieWithoutHttpOnly.go:50:2:50:22 | call to SetCookie | CookieWithoutHttpOnly.go:46:10:46:18 | "session" | CookieWithoutHttpOnly.go:50:20:50:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:46:10:46:18 | "session" | session | +| CookieWithoutHttpOnly.go:60:2:60:22 | call to SetCookie | CookieWithoutHttpOnly.go:56:13:56:21 | "session" | CookieWithoutHttpOnly.go:60:20:60:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:56:13:56:21 | "session" | session | +| CookieWithoutHttpOnly.go:90:2:90:22 | call to SetCookie | CookieWithoutHttpOnly.go:86:10:86:18 | "session" | CookieWithoutHttpOnly.go:90:20:90:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:86:10:86:18 | "session" | session | +| CookieWithoutHttpOnly.go:109:2:109:22 | call to SetCookie | CookieWithoutHttpOnly.go:103:10:103:18 | "session" | CookieWithoutHttpOnly.go:109:20:109:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:103:10:103:18 | "session" | session | +| CookieWithoutHttpOnly.go:119:2:119:22 | call to SetCookie | CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | CookieWithoutHttpOnly.go:119:20:119:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | login_name | +| CookieWithoutHttpOnly.go:119:2:119:22 | call to SetCookie | CookieWithoutHttpOnly.go:115:10:115:16 | session | CookieWithoutHttpOnly.go:119:20:119:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:115:10:115:16 | session | session | +| CookieWithoutHttpOnly.go:131:4:131:71 | call to SetCookie | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | session | +edges +| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | CookieWithoutHttpOnly.go:14:21:14:21 | c | provenance | | +| CookieWithoutHttpOnly.go:11:10:11:18 | "session" | CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:14:21:14:21 | c | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:14:21:14:21 | c | CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | CookieWithoutHttpOnly.go:23:21:23:21 | c | provenance | | +| CookieWithoutHttpOnly.go:19:13:19:21 | "session" | CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:23:21:23:21 | c | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:23:21:23:21 | c | CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | CookieWithoutHttpOnly.go:32:21:32:21 | c | provenance | | +| CookieWithoutHttpOnly.go:28:13:28:21 | "session" | CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:32:21:32:21 | c | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:32:21:32:21 | c | CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | CookieWithoutHttpOnly.go:41:21:41:21 | c | provenance | | +| CookieWithoutHttpOnly.go:37:10:37:18 | "session" | CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:41:21:41:21 | c | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:41:21:41:21 | c | CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | CookieWithoutHttpOnly.go:50:21:50:21 | c | provenance | | +| CookieWithoutHttpOnly.go:46:10:46:18 | "session" | CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:50:21:50:21 | c | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:50:21:50:21 | c | CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | CookieWithoutHttpOnly.go:60:21:60:21 | c | provenance | | +| CookieWithoutHttpOnly.go:56:13:56:21 | "session" | CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:60:21:60:21 | c | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:60:21:60:21 | c | CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | CookieWithoutHttpOnly.go:70:21:70:21 | c | provenance | | +| CookieWithoutHttpOnly.go:66:13:66:21 | "session" | CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:70:21:70:21 | c | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:70:21:70:21 | c | CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | CookieWithoutHttpOnly.go:80:21:80:21 | c | provenance | | +| CookieWithoutHttpOnly.go:76:10:76:18 | "session" | CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:80:21:80:21 | c | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:80:21:80:21 | c | CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | CookieWithoutHttpOnly.go:90:21:90:21 | c | provenance | | +| CookieWithoutHttpOnly.go:86:10:86:18 | "session" | CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:90:21:90:21 | c | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:90:21:90:21 | c | CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:103:10:103:18 | "session" | CookieWithoutHttpOnly.go:105:10:105:13 | name | provenance | | +| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | CookieWithoutHttpOnly.go:109:21:109:21 | c | provenance | | +| CookieWithoutHttpOnly.go:105:10:105:13 | name | CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:109:21:109:21 | c | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:109:21:109:21 | c | CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | CookieWithoutHttpOnly.go:115:10:115:16 | session | provenance | | +| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | CookieWithoutHttpOnly.go:119:21:119:21 | c | provenance | | +| CookieWithoutHttpOnly.go:115:10:115:16 | session | CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:119:21:119:21 | c | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:119:21:119:21 | c | CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | provenance | | +nodes +| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:11:10:11:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:14:20:14:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:14:21:14:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:19:13:19:21 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:23:20:23:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:23:21:23:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:28:13:28:21 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:32:20:32:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:32:21:32:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:37:10:37:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:41:20:41:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:41:21:41:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:46:10:46:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:50:20:50:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:50:21:50:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:56:13:56:21 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:60:20:60:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:60:21:60:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:66:13:66:21 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:70:20:70:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:70:21:70:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:76:10:76:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:80:20:80:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:80:21:80:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:86:10:86:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:90:20:90:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:90:21:90:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:103:10:103:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:105:10:105:13 | name | semmle.label | name | +| CookieWithoutHttpOnly.go:109:20:109:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:109:21:109:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | semmle.label | "login_name" | +| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:115:10:115:16 | session | semmle.label | session | +| CookieWithoutHttpOnly.go:119:20:119:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:119:21:119:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:131:16:131:24 | "session" | semmle.label | "session" | +subpaths diff --git a/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.go b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.go new file mode 100644 index 000000000000..0e3958aca2e5 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.go @@ -0,0 +1,136 @@ +package main + +import ( + "net/http" + + "github.com/gin-gonic/gin" +) + +func handler1(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly set to false by default +} + +func handler2(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + HttpOnly: false, + } + http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false +} + +func handler3(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", + Value: "secret", + HttpOnly: true, + } + http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true +} + +func handler4(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", + Value: "secret", + } + c.HttpOnly = true + http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true +} + +func handler5(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + c.HttpOnly = false + http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false +} + +func handler6(w http.ResponseWriter, r *http.Request) { + val := false + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + HttpOnly: val, + } + http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false +} + +func handler7(w http.ResponseWriter, r *http.Request) { + val := true + c := http.Cookie{ + Name: "session", + Value: "secret", + HttpOnly: val, + } + http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true +} + +func handler8(w http.ResponseWriter, r *http.Request) { + val := true + c := http.Cookie{ + Name: "session", + Value: "secret", + } + c.HttpOnly = val + http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true +} + +func handler9(w http.ResponseWriter, r *http.Request) { + val := false + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + c.HttpOnly = val + http.SetCookie(w, &c) // $ Alert //BAD: HttpOnly explicitly set to false +} + +func handler10(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "consent", + Value: "1", + } + c.HttpOnly = false + http.SetCookie(w, &c) // GOOD: Name is not auth related +} + +func handler11(w http.ResponseWriter, r *http.Request) { + name := "session" // $ Source + c := http.Cookie{ + Name: name, + Value: "secret", + } + c.HttpOnly = false + http.SetCookie(w, &c) // $ Alert // BAD: auth related name +} + +func handler12(w http.ResponseWriter, r *http.Request) { + session := "login_name" // $ Source + c := http.Cookie{ + Name: session, // $ Source + Value: "secret", + } + c.HttpOnly = false + http.SetCookie(w, &c) // $ Alert // BAD: auth related name +} + +func main() { + + router := gin.Default() + + router.GET("/cookie", func(c *gin.Context) { + + _, err := c.Cookie("session") + + if err != nil { + c.SetCookie("session", "test", 3600, "/", "localhost", false, false) // $ Alert // BAD: httpOnly set to false + } + }) + + router.Run() +} diff --git a/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref new file mode 100644 index 000000000000..3f81c27e867f --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref @@ -0,0 +1,2 @@ +query: security/CWE-1004/CookieWithoutHttpOnly.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-1004/go.mod b/go/ql/test/query-tests/Security/CWE-1004/go.mod new file mode 100644 index 000000000000..5ab32129a9b9 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/go.mod @@ -0,0 +1,8 @@ +module example.com/m + +go 1.14 + +require ( + github.com/gin-gonic/gin v1.7.1 + github.com/gorilla/sessions v1.2.1 + ) diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE new file mode 100644 index 000000000000..1ff7f3706055 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Manuel Martínez-Almeida + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go new file mode 100644 index 000000000000..43fd634edcd3 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go @@ -0,0 +1,12 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin/binding, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin/binding (exports: ; functions: YAML) + +// Package binding is a stub of github.com/gin-gonic/gin/binding, generated by depstubber. +package binding + +import () + +var YAML interface{} = nil diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go new file mode 100644 index 000000000000..e343d5f2aa08 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go @@ -0,0 +1,677 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin (exports: Context; functions: Default) + +// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber. +package gin + +import ( + bufio "bufio" + template "html/template" + io "io" + multipart "mime/multipart" + net "net" + http "net/http" + time "time" +) + +type Context struct { + Request *http.Request + Writer ResponseWriter + Params Params + Keys map[string]interface{} + Errors interface{} + Accepted []string +} + +func (_ *Context) Abort() {} + +func (_ *Context) AbortWithError(_ int, _ error) *Error { + return nil +} + +func (_ *Context) AbortWithStatus(_ int) {} + +func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {} + +func (_ *Context) AsciiJSON(_ int, _ interface{}) {} + +func (_ *Context) Bind(_ interface{}) error { + return nil +} + +func (_ *Context) BindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) BindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) BindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) BindUri(_ interface{}) error { + return nil +} + +func (_ *Context) BindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) BindXML(_ interface{}) error { + return nil +} + +func (_ *Context) BindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) ClientIP() string { + return "" +} + +func (_ *Context) ContentType() string { + return "" +} + +func (_ *Context) Cookie(_ string) (string, error) { + return "", nil +} + +func (_ *Context) Copy() *Context { + return nil +} + +func (_ *Context) Data(_ int, _ string, _ []byte) {} + +func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {} + +func (_ *Context) Deadline() (time.Time, bool) { + return time.Time{}, false +} + +func (_ *Context) DefaultPostForm(_ string, _ string) string { + return "" +} + +func (_ *Context) DefaultQuery(_ string, _ string) string { + return "" +} + +func (_ *Context) Done() <-chan struct{} { + return nil +} + +func (_ *Context) Err() error { + return nil +} + +func (_ *Context) Error(_ error) *Error { + return nil +} + +func (_ *Context) File(_ string) {} + +func (_ *Context) FileAttachment(_ string, _ string) {} + +func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {} + +func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) { + return nil, nil +} + +func (_ *Context) FullPath() string { + return "" +} + +func (_ *Context) Get(_ string) (interface{}, bool) { + return nil, false +} + +func (_ *Context) GetBool(_ string) bool { + return false +} + +func (_ *Context) GetDuration(_ string) time.Duration { + return 0 +} + +func (_ *Context) GetFloat64(_ string) float64 { + return 0 +} + +func (_ *Context) GetHeader(_ string) string { + return "" +} + +func (_ *Context) GetInt(_ string) int { + return 0 +} + +func (_ *Context) GetInt64(_ string) int64 { + return 0 +} + +func (_ *Context) GetPostForm(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetPostFormArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetQuery(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetQueryArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetRawData() ([]byte, error) { + return nil, nil +} + +func (_ *Context) GetString(_ string) string { + return "" +} + +func (_ *Context) GetStringMap(_ string) map[string]interface{} { + return nil +} + +func (_ *Context) GetStringMapString(_ string) map[string]string { + return nil +} + +func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string { + return nil +} + +func (_ *Context) GetStringSlice(_ string) []string { + return nil +} + +func (_ *Context) GetTime(_ string) time.Time { + return time.Time{} +} + +func (_ *Context) GetUint(_ string) uint { + return 0 +} + +func (_ *Context) GetUint64(_ string) uint64 { + return 0 +} + +func (_ *Context) HTML(_ int, _ string, _ interface{}) {} + +func (_ *Context) Handler() HandlerFunc { + return nil +} + +func (_ *Context) HandlerName() string { + return "" +} + +func (_ *Context) HandlerNames() []string { + return nil +} + +func (_ *Context) Header(_ string, _ string) {} + +func (_ *Context) IndentedJSON(_ int, _ interface{}) {} + +func (_ *Context) IsAborted() bool { + return false +} + +func (_ *Context) IsWebsocket() bool { + return false +} + +func (_ *Context) JSON(_ int, _ interface{}) {} + +func (_ *Context) JSONP(_ int, _ interface{}) {} + +func (_ *Context) MultipartForm() (*multipart.Form, error) { + return nil, nil +} + +func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) MustGet(_ string) interface{} { + return nil +} + +func (_ *Context) Negotiate(_ int, _ Negotiate) {} + +func (_ *Context) NegotiateFormat(_ ...string) string { + return "" +} + +func (_ *Context) Next() {} + +func (_ *Context) Param(_ string) string { + return "" +} + +func (_ *Context) PostForm(_ string) string { + return "" +} + +func (_ *Context) PostFormArray(_ string) []string { + return nil +} + +func (_ *Context) PostFormMap(_ string) map[string]string { + return nil +} + +func (_ *Context) ProtoBuf(_ int, _ interface{}) {} + +func (_ *Context) PureJSON(_ int, _ interface{}) {} + +func (_ *Context) Query(_ string) string { + return "" +} + +func (_ *Context) QueryArray(_ string) []string { + return nil +} + +func (_ *Context) QueryMap(_ string) map[string]string { + return nil +} + +func (_ *Context) Redirect(_ int, _ string) {} + +func (_ *Context) RemoteIP() (net.IP, bool) { + return nil, false +} + +func (_ *Context) Render(_ int, _ interface{}) {} + +func (_ *Context) SSEvent(_ string, _ interface{}) {} + +func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error { + return nil +} + +func (_ *Context) SecureJSON(_ int, _ interface{}) {} + +func (_ *Context) Set(_ string, _ interface{}) {} + +func (_ *Context) SetAccepted(_ ...string) {} + +func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {} + +func (_ *Context) SetSameSite(_ http.SameSite) {} + +func (_ *Context) ShouldBind(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindUri(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindXML(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) Status(_ int) {} + +func (_ *Context) Stream(_ func(io.Writer) bool) bool { + return false +} + +func (_ *Context) String(_ int, _ string, _ ...interface{}) {} + +func (_ *Context) Value(_ interface{}) interface{} { + return nil +} + +func (_ *Context) XML(_ int, _ interface{}) {} + +func (_ *Context) YAML(_ int, _ interface{}) {} + +func Default() *Engine { + return nil +} + +type Engine struct { + RouterGroup RouterGroup + RedirectTrailingSlash bool + RedirectFixedPath bool + HandleMethodNotAllowed bool + ForwardedByClientIP bool + RemoteIPHeaders []string + TrustedProxies []string + AppEngine bool + UseRawPath bool + UnescapePathValues bool + MaxMultipartMemory int64 + RemoveExtraSlash bool + HTMLRender interface{} + FuncMap template.FuncMap +} + +func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) BasePath() string { + return "" +} + +func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Delims(_ string, _ string) *Engine { + return nil +} + +func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) HandleContext(_ *Context) {} + +func (_ *Engine) LoadHTMLFiles(_ ...string) {} + +func (_ *Engine) LoadHTMLGlob(_ string) {} + +func (_ *Engine) NoMethod(_ ...HandlerFunc) {} + +func (_ *Engine) NoRoute(_ ...HandlerFunc) {} + +func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Routes() RoutesInfo { + return nil +} + +func (_ *Engine) Run(_ ...string) error { + return nil +} + +func (_ *Engine) RunFd(_ int) error { + return nil +} + +func (_ *Engine) RunListener(_ net.Listener) error { + return nil +} + +func (_ *Engine) RunTLS(_ string, _ string, _ string) error { + return nil +} + +func (_ *Engine) RunUnix(_ string) error { + return nil +} + +func (_ *Engine) SecureJsonPrefix(_ string) *Engine { + return nil +} + +func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {} + +func (_ *Engine) SetFuncMap(_ template.FuncMap) {} + +func (_ *Engine) SetHTMLTemplate(_ *template.Template) {} + +func (_ *Engine) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *Engine) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type Error struct { + Err error + Type ErrorType + Meta interface{} +} + +func (_ Error) Error() string { + return "" +} + +func (_ *Error) IsType(_ ErrorType) bool { + return false +} + +func (_ *Error) JSON() interface{} { + return nil +} + +func (_ *Error) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ *Error) SetMeta(_ interface{}) *Error { + return nil +} + +func (_ *Error) SetType(_ ErrorType) *Error { + return nil +} + +func (_ *Error) Unwrap() error { + return nil +} + +type ErrorType uint64 + +type HandlerFunc func(*Context) + +type HandlersChain []HandlerFunc + +func (_ HandlersChain) Last() HandlerFunc { + return nil +} + +type IRoutes interface { + Any(_ string, _ ...HandlerFunc) IRoutes + DELETE(_ string, _ ...HandlerFunc) IRoutes + GET(_ string, _ ...HandlerFunc) IRoutes + HEAD(_ string, _ ...HandlerFunc) IRoutes + Handle(_ string, _ string, _ ...HandlerFunc) IRoutes + OPTIONS(_ string, _ ...HandlerFunc) IRoutes + PATCH(_ string, _ ...HandlerFunc) IRoutes + POST(_ string, _ ...HandlerFunc) IRoutes + PUT(_ string, _ ...HandlerFunc) IRoutes + Static(_ string, _ string) IRoutes + StaticFS(_ string, _ http.FileSystem) IRoutes + StaticFile(_ string, _ string) IRoutes + Use(_ ...HandlerFunc) IRoutes +} + +type Negotiate struct { + Offered []string + HTMLName string + HTMLData interface{} + JSONData interface{} + XMLData interface{} + YAMLData interface{} + Data interface{} +} + +type Param struct { + Key string + Value string +} + +type Params []Param + +func (_ Params) ByName(_ string) string { + return "" +} + +func (_ Params) Get(_ string) (string, bool) { + return "", false +} + +type ResponseWriter interface { + CloseNotify() <-chan bool + Flush() + Header() http.Header + Hijack() (net.Conn, *bufio.ReadWriter, error) + Pusher() http.Pusher + Size() int + Status() int + Write(_ []byte) (int, error) + WriteHeader(_ int) + WriteHeaderNow() + WriteString(_ string) (int, error) + Written() bool +} + +type RouteInfo struct { + Method string + Path string + Handler string + HandlerFunc HandlerFunc +} + +type RouterGroup struct { + Handlers HandlersChain +} + +func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) BasePath() string { + return "" +} + +func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type RoutesInfo []RouteInfo diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go new file mode 100644 index 000000000000..2ebc3858163f --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go @@ -0,0 +1,75 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore) + +// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber. +package sessions + +import ( + http "net/http" +) + +type CookieStore struct { + Codecs []interface{} + Options *Options +} + +func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) { + return nil, nil +} + +func (_ *CookieStore) MaxAge(_ int) {} + +func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) { + return nil, nil +} + +func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error { + return nil +} + +func NewCookieStore(_ ...[]byte) *CookieStore { + return nil +} + +type Options struct { + Path string + Domain string + MaxAge int + Secure bool + HttpOnly bool + SameSite http.SameSite +} + +type Session struct { + ID string + Values map[interface{}]interface{} + Options *Options + IsNew bool +} + +func (_ *Session) AddFlash(_ interface{}, _ ...string) {} + +func (_ *Session) Flashes(_ ...string) []interface{} { + return nil +} + +func (_ *Session) Name() string { + return "" +} + +func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error { + return nil +} + +func (_ *Session) Store() Store { + return nil +} + +type Store interface { + Get(_ *http.Request, _ string) (*Session, error) + New(_ *http.Request, _ string) (*Session, error) + Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error +} diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt b/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt new file mode 100644 index 000000000000..f38695b1ffcb --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt @@ -0,0 +1,6 @@ +# github.com/gin-gonic/gin v1.7.1 +## explicit +github.com/gin-gonic/gin +# github.com/gorilla/sessions v1.2.1 +## explicit +github.com/gorilla/sessions diff --git a/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.expected b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.expected new file mode 100644 index 000000000000..1695d82a4f75 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.expected @@ -0,0 +1,6 @@ +| CookieWithoutSecure.go:14:2:14:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:23:2:23:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:50:2:50:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:60:2:60:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:90:2:90:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:102:4:102:71 | call to SetCookie | Cookie does not set Secure attribute to true. | diff --git a/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.go b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.go new file mode 100644 index 000000000000..a066babb6e29 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.go @@ -0,0 +1,107 @@ +package main + +import ( + "net/http" + + "github.com/gin-gonic/gin" +) + +func handler1(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + http.SetCookie(w, &c) // $ Alert // BAD: Secure set to false by default +} + +func handler2(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + Secure: false, + } + http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false +} + +func handler3(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", + Value: "secret", + Secure: true, + } + http.SetCookie(w, &c) // GOOD: Secure explicitly set to true +} + +func handler4(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", + Value: "secret", + } + c.Secure = true + http.SetCookie(w, &c) // GOOD: Secure explicitly set to true +} + +func handler5(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + c.Secure = false + http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false +} + +func handler6(w http.ResponseWriter, r *http.Request) { + val := false + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + Secure: val, + } + http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false +} + +func handler7(w http.ResponseWriter, r *http.Request) { + val := true + c := http.Cookie{ + Name: "session", + Value: "secret", + Secure: val, + } + http.SetCookie(w, &c) // GOOD: Secure explicitly set to true +} + +func handler8(w http.ResponseWriter, r *http.Request) { + val := true + c := http.Cookie{ + Name: "session", + Value: "secret", + } + c.Secure = val + http.SetCookie(w, &c) // GOOD: Secure explicitly set to true +} + +func handler9(w http.ResponseWriter, r *http.Request) { + val := false + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + c.Secure = val + http.SetCookie(w, &c) // $ Alert //BAD: Secure explicitly set to false +} + +func main() { + + router := gin.Default() + + router.GET("/cookie", func(c *gin.Context) { + + _, err := c.Cookie("session") + + if err != nil { + c.SetCookie("session", "test", 3600, "/", "localhost", false, false) // $ Alert // BAD: Secure set to false + } + }) + + router.Run() +} diff --git a/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref new file mode 100644 index 000000000000..dc326b1e91eb --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref @@ -0,0 +1,2 @@ +query: security/CWE-614/CookieWithoutSecure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-614/go.mod b/go/ql/test/query-tests/Security/CWE-614/go.mod new file mode 100644 index 000000000000..5ab32129a9b9 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/go.mod @@ -0,0 +1,8 @@ +module example.com/m + +go 1.14 + +require ( + github.com/gin-gonic/gin v1.7.1 + github.com/gorilla/sessions v1.2.1 + ) diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/LICENSE b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/LICENSE new file mode 100644 index 000000000000..1ff7f3706055 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Manuel Martínez-Almeida + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/binding/stub.go b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/binding/stub.go new file mode 100644 index 000000000000..43fd634edcd3 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/binding/stub.go @@ -0,0 +1,12 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin/binding, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin/binding (exports: ; functions: YAML) + +// Package binding is a stub of github.com/gin-gonic/gin/binding, generated by depstubber. +package binding + +import () + +var YAML interface{} = nil diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/stub.go b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/stub.go new file mode 100644 index 000000000000..e343d5f2aa08 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/stub.go @@ -0,0 +1,677 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin (exports: Context; functions: Default) + +// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber. +package gin + +import ( + bufio "bufio" + template "html/template" + io "io" + multipart "mime/multipart" + net "net" + http "net/http" + time "time" +) + +type Context struct { + Request *http.Request + Writer ResponseWriter + Params Params + Keys map[string]interface{} + Errors interface{} + Accepted []string +} + +func (_ *Context) Abort() {} + +func (_ *Context) AbortWithError(_ int, _ error) *Error { + return nil +} + +func (_ *Context) AbortWithStatus(_ int) {} + +func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {} + +func (_ *Context) AsciiJSON(_ int, _ interface{}) {} + +func (_ *Context) Bind(_ interface{}) error { + return nil +} + +func (_ *Context) BindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) BindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) BindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) BindUri(_ interface{}) error { + return nil +} + +func (_ *Context) BindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) BindXML(_ interface{}) error { + return nil +} + +func (_ *Context) BindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) ClientIP() string { + return "" +} + +func (_ *Context) ContentType() string { + return "" +} + +func (_ *Context) Cookie(_ string) (string, error) { + return "", nil +} + +func (_ *Context) Copy() *Context { + return nil +} + +func (_ *Context) Data(_ int, _ string, _ []byte) {} + +func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {} + +func (_ *Context) Deadline() (time.Time, bool) { + return time.Time{}, false +} + +func (_ *Context) DefaultPostForm(_ string, _ string) string { + return "" +} + +func (_ *Context) DefaultQuery(_ string, _ string) string { + return "" +} + +func (_ *Context) Done() <-chan struct{} { + return nil +} + +func (_ *Context) Err() error { + return nil +} + +func (_ *Context) Error(_ error) *Error { + return nil +} + +func (_ *Context) File(_ string) {} + +func (_ *Context) FileAttachment(_ string, _ string) {} + +func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {} + +func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) { + return nil, nil +} + +func (_ *Context) FullPath() string { + return "" +} + +func (_ *Context) Get(_ string) (interface{}, bool) { + return nil, false +} + +func (_ *Context) GetBool(_ string) bool { + return false +} + +func (_ *Context) GetDuration(_ string) time.Duration { + return 0 +} + +func (_ *Context) GetFloat64(_ string) float64 { + return 0 +} + +func (_ *Context) GetHeader(_ string) string { + return "" +} + +func (_ *Context) GetInt(_ string) int { + return 0 +} + +func (_ *Context) GetInt64(_ string) int64 { + return 0 +} + +func (_ *Context) GetPostForm(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetPostFormArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetQuery(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetQueryArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetRawData() ([]byte, error) { + return nil, nil +} + +func (_ *Context) GetString(_ string) string { + return "" +} + +func (_ *Context) GetStringMap(_ string) map[string]interface{} { + return nil +} + +func (_ *Context) GetStringMapString(_ string) map[string]string { + return nil +} + +func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string { + return nil +} + +func (_ *Context) GetStringSlice(_ string) []string { + return nil +} + +func (_ *Context) GetTime(_ string) time.Time { + return time.Time{} +} + +func (_ *Context) GetUint(_ string) uint { + return 0 +} + +func (_ *Context) GetUint64(_ string) uint64 { + return 0 +} + +func (_ *Context) HTML(_ int, _ string, _ interface{}) {} + +func (_ *Context) Handler() HandlerFunc { + return nil +} + +func (_ *Context) HandlerName() string { + return "" +} + +func (_ *Context) HandlerNames() []string { + return nil +} + +func (_ *Context) Header(_ string, _ string) {} + +func (_ *Context) IndentedJSON(_ int, _ interface{}) {} + +func (_ *Context) IsAborted() bool { + return false +} + +func (_ *Context) IsWebsocket() bool { + return false +} + +func (_ *Context) JSON(_ int, _ interface{}) {} + +func (_ *Context) JSONP(_ int, _ interface{}) {} + +func (_ *Context) MultipartForm() (*multipart.Form, error) { + return nil, nil +} + +func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) MustGet(_ string) interface{} { + return nil +} + +func (_ *Context) Negotiate(_ int, _ Negotiate) {} + +func (_ *Context) NegotiateFormat(_ ...string) string { + return "" +} + +func (_ *Context) Next() {} + +func (_ *Context) Param(_ string) string { + return "" +} + +func (_ *Context) PostForm(_ string) string { + return "" +} + +func (_ *Context) PostFormArray(_ string) []string { + return nil +} + +func (_ *Context) PostFormMap(_ string) map[string]string { + return nil +} + +func (_ *Context) ProtoBuf(_ int, _ interface{}) {} + +func (_ *Context) PureJSON(_ int, _ interface{}) {} + +func (_ *Context) Query(_ string) string { + return "" +} + +func (_ *Context) QueryArray(_ string) []string { + return nil +} + +func (_ *Context) QueryMap(_ string) map[string]string { + return nil +} + +func (_ *Context) Redirect(_ int, _ string) {} + +func (_ *Context) RemoteIP() (net.IP, bool) { + return nil, false +} + +func (_ *Context) Render(_ int, _ interface{}) {} + +func (_ *Context) SSEvent(_ string, _ interface{}) {} + +func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error { + return nil +} + +func (_ *Context) SecureJSON(_ int, _ interface{}) {} + +func (_ *Context) Set(_ string, _ interface{}) {} + +func (_ *Context) SetAccepted(_ ...string) {} + +func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {} + +func (_ *Context) SetSameSite(_ http.SameSite) {} + +func (_ *Context) ShouldBind(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindUri(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindXML(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) Status(_ int) {} + +func (_ *Context) Stream(_ func(io.Writer) bool) bool { + return false +} + +func (_ *Context) String(_ int, _ string, _ ...interface{}) {} + +func (_ *Context) Value(_ interface{}) interface{} { + return nil +} + +func (_ *Context) XML(_ int, _ interface{}) {} + +func (_ *Context) YAML(_ int, _ interface{}) {} + +func Default() *Engine { + return nil +} + +type Engine struct { + RouterGroup RouterGroup + RedirectTrailingSlash bool + RedirectFixedPath bool + HandleMethodNotAllowed bool + ForwardedByClientIP bool + RemoteIPHeaders []string + TrustedProxies []string + AppEngine bool + UseRawPath bool + UnescapePathValues bool + MaxMultipartMemory int64 + RemoveExtraSlash bool + HTMLRender interface{} + FuncMap template.FuncMap +} + +func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) BasePath() string { + return "" +} + +func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Delims(_ string, _ string) *Engine { + return nil +} + +func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) HandleContext(_ *Context) {} + +func (_ *Engine) LoadHTMLFiles(_ ...string) {} + +func (_ *Engine) LoadHTMLGlob(_ string) {} + +func (_ *Engine) NoMethod(_ ...HandlerFunc) {} + +func (_ *Engine) NoRoute(_ ...HandlerFunc) {} + +func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Routes() RoutesInfo { + return nil +} + +func (_ *Engine) Run(_ ...string) error { + return nil +} + +func (_ *Engine) RunFd(_ int) error { + return nil +} + +func (_ *Engine) RunListener(_ net.Listener) error { + return nil +} + +func (_ *Engine) RunTLS(_ string, _ string, _ string) error { + return nil +} + +func (_ *Engine) RunUnix(_ string) error { + return nil +} + +func (_ *Engine) SecureJsonPrefix(_ string) *Engine { + return nil +} + +func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {} + +func (_ *Engine) SetFuncMap(_ template.FuncMap) {} + +func (_ *Engine) SetHTMLTemplate(_ *template.Template) {} + +func (_ *Engine) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *Engine) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type Error struct { + Err error + Type ErrorType + Meta interface{} +} + +func (_ Error) Error() string { + return "" +} + +func (_ *Error) IsType(_ ErrorType) bool { + return false +} + +func (_ *Error) JSON() interface{} { + return nil +} + +func (_ *Error) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ *Error) SetMeta(_ interface{}) *Error { + return nil +} + +func (_ *Error) SetType(_ ErrorType) *Error { + return nil +} + +func (_ *Error) Unwrap() error { + return nil +} + +type ErrorType uint64 + +type HandlerFunc func(*Context) + +type HandlersChain []HandlerFunc + +func (_ HandlersChain) Last() HandlerFunc { + return nil +} + +type IRoutes interface { + Any(_ string, _ ...HandlerFunc) IRoutes + DELETE(_ string, _ ...HandlerFunc) IRoutes + GET(_ string, _ ...HandlerFunc) IRoutes + HEAD(_ string, _ ...HandlerFunc) IRoutes + Handle(_ string, _ string, _ ...HandlerFunc) IRoutes + OPTIONS(_ string, _ ...HandlerFunc) IRoutes + PATCH(_ string, _ ...HandlerFunc) IRoutes + POST(_ string, _ ...HandlerFunc) IRoutes + PUT(_ string, _ ...HandlerFunc) IRoutes + Static(_ string, _ string) IRoutes + StaticFS(_ string, _ http.FileSystem) IRoutes + StaticFile(_ string, _ string) IRoutes + Use(_ ...HandlerFunc) IRoutes +} + +type Negotiate struct { + Offered []string + HTMLName string + HTMLData interface{} + JSONData interface{} + XMLData interface{} + YAMLData interface{} + Data interface{} +} + +type Param struct { + Key string + Value string +} + +type Params []Param + +func (_ Params) ByName(_ string) string { + return "" +} + +func (_ Params) Get(_ string) (string, bool) { + return "", false +} + +type ResponseWriter interface { + CloseNotify() <-chan bool + Flush() + Header() http.Header + Hijack() (net.Conn, *bufio.ReadWriter, error) + Pusher() http.Pusher + Size() int + Status() int + Write(_ []byte) (int, error) + WriteHeader(_ int) + WriteHeaderNow() + WriteString(_ string) (int, error) + Written() bool +} + +type RouteInfo struct { + Method string + Path string + Handler string + HandlerFunc HandlerFunc +} + +type RouterGroup struct { + Handlers HandlersChain +} + +func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) BasePath() string { + return "" +} + +func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type RoutesInfo []RouteInfo diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go new file mode 100644 index 000000000000..2ebc3858163f --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go @@ -0,0 +1,75 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore) + +// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber. +package sessions + +import ( + http "net/http" +) + +type CookieStore struct { + Codecs []interface{} + Options *Options +} + +func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) { + return nil, nil +} + +func (_ *CookieStore) MaxAge(_ int) {} + +func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) { + return nil, nil +} + +func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error { + return nil +} + +func NewCookieStore(_ ...[]byte) *CookieStore { + return nil +} + +type Options struct { + Path string + Domain string + MaxAge int + Secure bool + HttpOnly bool + SameSite http.SameSite +} + +type Session struct { + ID string + Values map[interface{}]interface{} + Options *Options + IsNew bool +} + +func (_ *Session) AddFlash(_ interface{}, _ ...string) {} + +func (_ *Session) Flashes(_ ...string) []interface{} { + return nil +} + +func (_ *Session) Name() string { + return "" +} + +func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error { + return nil +} + +func (_ *Session) Store() Store { + return nil +} + +type Store interface { + Get(_ *http.Request, _ string) (*Session, error) + New(_ *http.Request, _ string) (*Session, error) + Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error +} diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt b/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt new file mode 100644 index 000000000000..f38695b1ffcb --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt @@ -0,0 +1,6 @@ +# github.com/gin-gonic/gin v1.7.1 +## explicit +github.com/gin-gonic/gin +# github.com/gorilla/sessions v1.2.1 +## explicit +github.com/gorilla/sessions From 3107edf6feba2fd7e8a9c72b7fc94cab083a891f Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 6 Nov 2025 16:55:49 +0000 Subject: [PATCH 5/5] Fixes and doc updates --- go/ql/lib/go.qll | 1 + go/ql/lib/semmle/go/concepts/HTTP.qll | 4 ++-- go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll | 4 ++-- go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql | 2 +- go/ql/src/Security/CWE-614/CookieWithoutSecure.ql | 4 ++-- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/go/ql/lib/go.qll b/go/ql/lib/go.qll index 16f2f1702faa..682342aad95a 100644 --- a/go/ql/lib/go.qll +++ b/go/ql/lib/go.qll @@ -40,6 +40,7 @@ import semmle.go.frameworks.ElazarlGoproxy import semmle.go.frameworks.Email import semmle.go.frameworks.Encoding import semmle.go.frameworks.Fasthttp +import semmle.go.frameworks.Gin import semmle.go.frameworks.GinCors import semmle.go.frameworks.Glog import semmle.go.frameworks.GoJose diff --git a/go/ql/lib/semmle/go/concepts/HTTP.qll b/go/ql/lib/semmle/go/concepts/HTTP.qll index 0fdf5a68624d..41f3caec03d8 100644 --- a/go/ql/lib/semmle/go/concepts/HTTP.qll +++ b/go/ql/lib/semmle/go/concepts/HTTP.qll @@ -381,7 +381,7 @@ module Http { predicate guardedBy(DataFlow::Node check) { super.guardedBy(check) } } - /** Provides a class for modelling HTTP response cookie writes. */ + /** Provides a class for modeling HTTP response cookie writes. */ module CookieWrite { /** * An write of an HTTP Cookie to an HTTP response. @@ -424,7 +424,7 @@ module Http { DataFlow::Node getHttpOnly() { result = super.getHttpOnly() } } - /** Provides a class for modelling the options of an HTTP cookie. */ + /** Provides a class for modeling the options of an HTTP cookie. */ module CookieOptions { /** * An HTTP Cookie object. diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll index f68d95181095..fd86effa9754 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll @@ -294,7 +294,7 @@ module NetHttp { override DataFlow::Node getAPathArgument() { result = this.getArgument(2) } } - class CookieWrite extends Http::CookieWrite::Range, DataFlow::CallNode { + private class CookieWrite extends Http::CookieWrite::Range, DataFlow::CallNode { CookieWrite() { this.getTarget().hasQualifiedName(package("net/http", ""), "SetCookie") } override DataFlow::Node getName() { result = this.getArgument(1) } @@ -306,7 +306,7 @@ module NetHttp { override DataFlow::Node getHttpOnly() { result = this.getArgument(1) } } - class CookieFieldWrite extends Http::CookieOptions::Range { + private class CookieFieldWrite extends Http::CookieOptions::Range { Write w; Field f; DataFlow::Node written; diff --git a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql index 27f86d23dd2c..a37b842c29d2 100644 --- a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql +++ b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql @@ -7,6 +7,7 @@ * @kind path-problem * @problem.severity warning * @precision high + * @security-severity 5.0 * @id go/cookie-httponly-not-set * @tags security * external/cwe/cwe-1004 @@ -14,7 +15,6 @@ import go import semmle.go.security.SecureCookies -import semmle.go.concepts.HTTP import SensitiveCookieNameFlow::PathGraph from diff --git a/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql b/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql index 635d2113f8df..8efec355d1f8 100644 --- a/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql +++ b/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql @@ -4,6 +4,7 @@ * @kind problem * @problem.severity warning * @precision high + * @security-severity 5.0 * @id go/cookie-secure-not-set * @tags security * external/cwe/cwe-1004 @@ -11,8 +12,7 @@ import go import semmle.go.security.SecureCookies -import semmle.go.concepts.HTTP from Http::CookieWrite cw where isInsecureCookie(cw) -select cw, "Cookie does not set Secure attribute to true" +select cw, "Cookie does not set Secure attribute to true."