Update and fix tests

Author: joefarebrother

python/ql/lib/semmle/python/Concepts.qll

@@ -1296,7 +1296,7 @@ module Http {
         exists(DataFlow::Node name |
           name = [this.getNameArg(), this.getHeaderArg()] and
           (
-            name instanceof SensitiveDataSource
+            DataFlow::localFlow(any(SensitiveDataSource src), name)
             or
             name = sensitiveLookupStringConst(_)
           )

python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.ql

@@ -15,5 +15,7 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 
 from Http::Server::CookieWrite cookie
-where cookie.hasHttpOnlyFlag(false)
+where
+  cookie.hasHttpOnlyFlag(false) and
+  cookie.isSensitive()
 select cookie, "Cookie is added without the HttpOnly attribute properly set."

python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql

@@ -3,7 +3,7 @@
  * @description Cookies with `SameSite` set to `None` can allow for Cross-Site Request Forgery (CSRF) attacks.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.5
+ * @security-severity 4.0
  * @precision high
  * @id py/samesite-none-cookie
  * @tags security
@@ -15,5 +15,7 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 
 from Http::Server::CookieWrite cookie
-where cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v))
+where
+  cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v)) and
+  cookie.isSensitive()
 select cookie, "Cookie is added with the SameSite attribute set to None."

python/ql/src/Security/CWE-614/InsecureCookie.ql

@@ -16,6 +16,7 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 
 from Http::Server::CookieWrite cookie
-where cookie.hasSecureFlag(false) //and
-//cookie.isSensitive()
+where
+  cookie.hasSecureFlag(false) and
+  cookie.isSensitive()
 select cookie, "Cookie is added without the Secure attribute properly set."

python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected

@@ -1,7 +1,3 @@
-| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:9:5:9:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:14:5:14:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:8:5:8:38 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:9:5:9:51 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:11:5:11:57 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |

python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/test.py

@@ -5,14 +5,8 @@
 @app.route("/test")
 def test():
     resp = make_response()
-    resp.set_cookie("key1", "value1") # $Alert[py/client-exposed-cookie]
-    resp.set_cookie("key2", "value2", secure=True) # $Alert[py/client-exposed-cookie]
-    resp.set_cookie("key2", "value2", httponly=True) 
-    resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/client-exposed-cookie]
-    resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/client-exposed-cookie]
-    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/client-exposed-cookie]
-    resp.set_cookie("key2", "value2", secure=True, samesite="Strict") # $Alert[py/client-exposed-cookie]
-    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") 
-    resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/client-exposed-cookie]
-    resp.set_cookie("key2", "value2", httponly=True, samesite="None") 
-    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
+    resp.set_cookie("oauth", "value1") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("oauth", "value2", secure=True) # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("oauth", "value2", httponly=True) 
+    resp.set_cookie("oauth", "value2", samesite="Strict") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("oauth", "value2", httponly=True, samesite="None") 

python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected

@@ -1,3 +1,2 @@
-| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
-| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
-| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
+| test.py:10:5:10:60 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
+| test.py:13:5:13:78 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |

python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/test.py

@@ -3,16 +3,13 @@
 app = Flask(__name__)
 
 @app.route("/test")
-def test():
+def test(oauth_cookie_name):
     resp = make_response()
-    resp.set_cookie("key1", "value1") 
-    resp.set_cookie("key2", "value2", secure=True) 
-    resp.set_cookie("key2", "value2", httponly=True) 
-    resp.set_cookie("key2", "value2", samesite="Strict") 
-    resp.set_cookie("key2", "value2", samesite="Lax") 
-    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/samesite-none-cookie]
-    resp.set_cookie("key2", "value2", secure=True, samesite="Strict") 
-    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") 
-    resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/samesite-none-cookie]
-    resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/samesite-none-cookie]
-    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
+    resp.set_cookie("password", "value1") 
+    resp.set_cookie("authKey", "value2", samesite="Lax") 
+    resp.set_cookie("session_id", "value2", samesite="None") # $Alert[py/samesite-none-cookie]
+    resp.set_cookie("oauth", "value2", secure=True, samesite="Strict") 
+    resp.set_cookie("oauth", "value2", httponly=True, samesite="Strict") 
+    resp.set_cookie(oauth_cookie_name, "value2", secure=True, samesite="None") # $Alert[py/samesite-none-cookie]
+    resp.set_cookie("not_sensitive", "value2", samesite="None")
+