Add sensitive data heuristic

joefarebrother · joefarebrother · commit d28e8004fdb5 · 2025-09-23T10:08:08.000+01:00
diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll
@@ -12,6 +12,7 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Files
 private import semmle.python.Frameworks
 private import semmle.python.security.internal.EncryptionKeySizes
+private import semmle.python.dataflow.new.SensitiveDataSources
 private import codeql.threatmodels.ThreatModels
 private import codeql.concepts.ConceptsShared
 
@@ -1290,6 +1291,18 @@ module Http {
        */
       DataFlow::Node getValueArg() { result = super.getValueArg() }
 
+      /** Holds if the name of this cookie indicates it may contain sensitive information. */
+      predicate isSensitive() {
+        exists(DataFlow::Node name |
+          name = [this.getNameArg(), this.getHeaderArg()] and
+          (
+            name instanceof SensitiveDataSource
+            or
+            name = sensitiveLookupStringConst(_)
+          )
+        )
+      }
+
       /**
        * Holds if the `Secure` flag of the cookie is known to have a value of `b`.
        */
diff --git a/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -334,3 +334,5 @@ private module SensitiveDataModeling {
 }
 
 predicate sensitiveDataExtraStepForCalls = SensitiveDataModeling::extraStepForCalls/2;
+
+predicate sensitiveLookupStringConst = SensitiveDataModeling::sensitiveLookupStringConst/1;
diff --git a/python/ql/src/Security/CWE-614/InsecureCookie.ql b/python/ql/src/Security/CWE-614/InsecureCookie.ql
@@ -16,5 +16,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 
 from Http::Server::CookieWrite cookie
-where cookie.hasSecureFlag(false)
+where cookie.hasSecureFlag(false) //and
+//cookie.isSensitive()
 select cookie, "Cookie is added without the Secure attribute properly set."
diff --git a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
@@ -1,7 +1,3 @@
-| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:10:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:15:5:15:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:8:5:8:40 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:10:5:10:57 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:11:5:11:60 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
diff --git a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
@@ -5,14 +5,8 @@
 @app.route("/test")
 def test():
     resp = make_response()
-    resp.set_cookie("key1", "value1") # $Alert[py/insecure-cookie]
-    resp.set_cookie("key2", "value2", secure=True) 
-    resp.set_cookie("key2", "value2", httponly=True) # $Alert[py/insecure-cookie]
-    resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/insecure-cookie]
-    resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/insecure-cookie]
-    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/insecure-cookie]
-    resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
-    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") # $Alert[py/insecure-cookie]
-    resp.set_cookie("key2", "value2", secure=True, samesite="None")
-    resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/insecure-cookie]
-    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
+    resp.set_cookie("authKey", "value1") # $Alert[py/insecure-cookie]
+    resp.set_cookie("authKey", "value2", secure=True) 
+    resp.set_cookie("sessionID", "value2", httponly=True) # $Alert[py/insecure-cookie]
+    resp.set_cookie("password", "value2", samesite="Strict") # $Alert[py/insecure-cookie]
+    resp.set_cookie("notSensitive", "value3") 

Original file line number	Diff line number	Diff line change
`@@ -334,3 +334,5 @@ private module SensitiveDataModeling {`
`334`	`334`	`}`
`335`	`335`
`336`	`336`	`predicate sensitiveDataExtraStepForCalls = SensitiveDataModeling::extraStepForCalls/2;`
	`337`	`+`
	`338`	`+predicate sensitiveLookupStringConst = SensitiveDataModeling::sensitiveLookupStringConst/1;`