Add system.web tests for httponly cookie

Author: joefarebrother

csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/CookieWithoutHttpOnly.expected

@@ -0,0 +1,3 @@
+| Program.cs:16:22:16:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:32:22:32:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:38:22:38:80 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |

csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/CookieWithoutHttpOnly.qlref

@@ -0,0 +1,2 @@
+query: Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/Program.cs

@@ -0,0 +1,66 @@
+class Program
+{
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        cookie.HttpOnly = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
+    }
+
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID"); // $Alert // BAD: httpOnlyCookies is set to false by default
+    }
+
+    void CookieDefaultForgery()
+    {
+        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
+    }
+
+    void CookieForgeryDirectFalse()
+    {
+        var cookie = new System.Web.HttpCookie("antiforgerytoken");
+        cookie.HttpOnly = false; // GOOD: not an auth cookie
+    }
+
+    void CookieDirectFalse()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID"); // $Alert 
+        cookie.HttpOnly = false; // BAD
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false };  // $Alert // BAD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        bool v = true;
+        cookie.HttpOnly = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateFalse()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert 
+        bool v = false;
+        cookie.HttpOnly = v; // BAD
+    }
+
+    void CookieIntermediateFalseInitializer()
+    {
+        bool v = false;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v };  // $MISSING:Alert // BAD
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/Web.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/options

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs