Skip to content

Commit 2e95c2b

Browse files
joefarebrotherjoefarebrother
committed
Split test cases for insecure cookie queries
1 parent 04316d3 commit 2e95c2b

File tree

10 files changed

+68
-22
lines changed

10 files changed

+68
-22
lines changed

python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* @description Cookies with `SameSite` set to `None` can allow for Cross-Site Request Forgery (CSRF) attacks.
44
* @kind problem
55
* @problem.severity warning
6-
* @security-severity 5.0
6+
* @security-severity 3.5
77
* @precision high
88
* @id py/samesite-none-cookie
99
* @tags security

python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
2+
| test.py:9:5:9:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
3+
| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
4+
| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
5+
| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
6+
| test.py:14:5:14:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
7+
| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |

python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.qlref

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
query: Security/CWE-1004/NonHttpOnlyCookie.ql
2+
postprocess: utils/test/InlineExpectationsTestQuery.ql

python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/test.py

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
from flask import Flask, request, make_response
2+
3+
app = Flask(__name__)
4+
5+
@app.route("/test")
6+
def test():
7+
resp = make_response()
8+
resp.set_cookie("key1", "value1") # $Alert[py/client-exposed-cookie]
9+
resp.set_cookie("key2", "value2", secure=True) # $Alert[py/client-exposed-cookie]
10+
resp.set_cookie("key2", "value2", httponly=True)
11+
resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/client-exposed-cookie]
12+
resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/client-exposed-cookie]
13+
resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/client-exposed-cookie]
14+
resp.set_cookie("key2", "value2", secure=True, samesite="Strict") # $Alert[py/client-exposed-cookie]
15+
resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
16+
resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/client-exposed-cookie]
17+
resp.set_cookie("key2", "value2", httponly=True, samesite="None")
18+
resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")

python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
2+
| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
3+
| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |

python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.qlref

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
query: Security/CWE-1275/SameSiteNoneCookie.ql
2+
postprocess: utils/test/InlineExpectationsTestQuery.ql

python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/test.py

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
from flask import Flask, request, make_response
2+
3+
app = Flask(__name__)
4+
5+
@app.route("/test")
6+
def test():
7+
resp = make_response()
8+
resp.set_cookie("key1", "value1")
9+
resp.set_cookie("key2", "value2", secure=True)
10+
resp.set_cookie("key2", "value2", httponly=True)
11+
resp.set_cookie("key2", "value2", samesite="Strict")
12+
resp.set_cookie("key2", "value2", samesite="Lax")
13+
resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/samesite-none-cookie]
14+
resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
15+
resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
16+
resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/samesite-none-cookie]
17+
resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/samesite-none-cookie]
18+
resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")

python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,7 @@
1-
| test.py:10:5:10:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
2-
| test.py:11:5:11:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
3-
| test.py:12:5:12:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
4-
| test.py:13:5:13:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
5-
| test.py:14:5:14:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
6-
| test.py:15:5:15:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure, HttpOnly, and SameSite attributes properly set. |
7-
| test.py:16:5:16:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
8-
| test.py:17:5:17:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
9-
| test.py:18:5:18:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly and SameSite attributes properly set. |
10-
| test.py:19:5:19:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure and SameSite attributes properly set. |
1+
| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
2+
| test.py:10:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
3+
| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
4+
| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
5+
| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
6+
| test.py:15:5:15:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
7+
| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |

python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
1-
Security/CWE-614/InsecureCookie.ql
1+
query: Security/CWE-614/InsecureCookie.ql
2+
postprocess: utils/test/InlineExpectationsTestQuery.ql

python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,18 @@
11
from flask import Flask, request, make_response
2-
import lxml.etree
3-
import markupsafe
42

53
app = Flask(__name__)
64

75
@app.route("/test")
86
def test():
97
resp = make_response()
10-
resp.set_cookie("key1", "value1")
11-
resp.set_cookie("key2", "value2", secure=True)
12-
resp.set_cookie("key2", "value2", httponly=True)
13-
resp.set_cookie("key2", "value2", samesite="Strict")
14-
resp.set_cookie("key2", "value2", samesite="Lax")
15-
resp.set_cookie("key2", "value2", samesite="None")
8+
resp.set_cookie("key1", "value1") # $Alert[py/insecure-cookie]
9+
resp.set_cookie("key2", "value2", secure=True)
10+
resp.set_cookie("key2", "value2", httponly=True) # $Alert[py/insecure-cookie]
11+
resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/insecure-cookie]
12+
resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/insecure-cookie]
13+
resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/insecure-cookie]
1614
resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
17-
resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
15+
resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") # $Alert[py/insecure-cookie]
1816
resp.set_cookie("key2", "value2", secure=True, samesite="None")
19-
resp.set_cookie("key2", "value2", httponly=True, samesite="None")
17+
resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/insecure-cookie]
2018
resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")

0 commit comments

Comments
 (0)