prepare move to non-experimental

erik-krogh · erik-krogh · commit 26a24a38954c · 2021-10-26T13:46:57.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/CookieLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/CookieLibraries.qll
@@ -4,6 +4,31 @@
 
 import javascript
 
+/**
+ * Classes and predicates for reasoning about writes to cookies.
+ */
+module CookieWrites {
+  /**
+   * A write to a cookie.
+   */
+  abstract class CookieWrite extends DataFlow::Node {
+    /**
+     * Holds if this cookie is secure, i.e. only transmitted over SSL.
+     */
+    abstract predicate isSecure();
+
+    /**
+     * Holds if this cookie is HttpOnly, i.e. not accessible by JavaScript.
+     */
+    abstract predicate isHttpOnly();
+
+    /**
+     * Holds if the cookie is likely an authentication cookie or otherwise sensitive.
+     */
+    abstract predicate isSensitive();
+  }
+}
+
 /**
  * A model of the `js-cookie` library (https://github.com/js-cookie/js-cookie).
  */
@@ -26,6 +51,7 @@ private module JsCookie {
   }
 
   class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    // TODO: CookieWrite
     WriteAccess() { this = libMemberCall("set") }
 
     string getKey() { getArgument(0).mayHaveStringValue(result) }
@@ -54,6 +80,7 @@ private module BrowserCookies {
   }
 
   class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    // TODO: CookieWrite
     WriteAccess() { this = libMemberCall("set") }
 
     string getKey() { getArgument(0).mayHaveStringValue(result) }
@@ -82,6 +109,7 @@ private module LibCookie {
   }
 
   class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    // TODO: CookieWrite
     WriteAccess() { this = libMemberCall("serialize") }
 
     string getKey() { getArgument(0).mayHaveStringValue(result) }
diff --git a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
@@ -13,8 +13,15 @@
  */
 
 import javascript
-import experimental.semmle.javascript.security.InsecureCookie::Cookie
+import experimental.semmle.javascript.security.InsecureCookie::Cookie as ExperimentalCookie
 
-from CookieWrite cookie
-where cookie.isSensitive() and not cookie.isHttpOnly()
-select cookie, "Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie."
+from DataFlow::Node node
+where
+  exists(ExperimentalCookie::CookieWrite cookie | cookie = node |
+    cookie.isSensitive() and not cookie.isHttpOnly()
+  )
+  or
+  exists(CookieWrites::CookieWrite cookie | cookie = node |
+    cookie.isSensitive() and not cookie.isHttpOnly()
+  )
+select node, "Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie."
diff --git a/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql b/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
@@ -11,8 +11,11 @@
  */
 
 import javascript
-import experimental.semmle.javascript.security.InsecureCookie::Cookie
+import experimental.semmle.javascript.security.InsecureCookie::Cookie as ExperimentalCookie
 
-from CookieWrite cookie
-where not cookie.isSecure()
-select cookie, "Cookie is added to response without the 'secure' flag being set to true"
+from DataFlow::Node node
+where
+  exists(ExperimentalCookie::CookieWrite cookie | cookie = node | not cookie.isSecure())
+  or
+  exists(CookieWrites::CookieWrite cookie | cookie = node | not cookie.isSecure())
+select node, "Cookie is added to response without the 'secure' flag being set to true"
