Add tests for insecure cookie using system.web

Author: joefarebrother

csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Program.cs

@@ -4,28 +4,4 @@ void CookieDefault()
     {
         var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
     }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
 }

csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/CookieWithoutSecure.expected

@@ -0,0 +1,3 @@
+| Program.cs:5:22:5:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:34:22:34:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:40:22:40:79 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |

csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/CookieWithoutSecure.qlref

@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs

@@ -0,0 +1,55 @@
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // $Alert // BAD: requireSSL is set to false by default
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        cookie.Secure = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        bool v = true;
+        cookie.Secure = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
+    }
+
+    void CookieDirectFalse()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // $Alert 
+        cookie.Secure = false; // BAD
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $Alert // BAD
+    }
+
+        void CookieIntermediateFalse()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // $MISSING:Alert
+        bool v = false;
+        cookie.Secure = v; // BAD, but not detected
+    }
+
+    void CookieIntermediateFalseInitializer()
+    {
+        bool v = false;
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $MISSING:Alert // BAD, but not detected
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Web.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/options

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../../../resources/stubs/System.Web.cs

csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/CookieWithoutSecure.expected

@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/CookieWithoutSecure.qlref

@@ -0,0 +1,7 @@
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/Program.cs

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <authentication>
+      <forms requireSSL=" True "/>
+    </authentication>
+    <httpCookies />
+  </system.web>
+</configuration>