Split insecure cookies queries into 3 queries

joefarebrother · joefarebrother · commit 7eabed6594c1 · 2025-09-18T13:34:10.000+01:00
diff --git a/python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.ql b/python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Cookie missing `HttpOnly` attribute.
+ * @description Cookies without the `HttpOnly` attribute set can be accessed by JS scripts, making them more vulnerable to XSS attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id py/client-exposed-cookie
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.Concepts
+
+from Http::Server::CookieWrite cookie
+where cookie.hasHttpOnlyFlag(false)
+select cookie, "Cookie is added without the HttpOnly attribute properly set."
diff --git a/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql b/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Cookie with `SameSite` attribute set to `None`.
+ * @description Cookies with `SameSite` set to `None` can allow for Cross-Site Request Forgery (CSRF) attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id py/samesite-none-cookie
+ * @tags security
+ *       external/cwe/cwe-1275
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.Concepts
+
+from Http::Server::CookieWrite cookie
+where cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v))
+select cookie, "Cookie is added with the SameSite attribute set to None."
diff --git a/python/ql/src/Security/CWE-614/InsecureCookie.ql b/python/ql/src/Security/CWE-614/InsecureCookie.ql
@@ -9,43 +9,12 @@
  * @id py/insecure-cookie
  * @tags security
  *       external/cwe/cwe-614
- *       external/cwe/cwe-1004
- *       external/cwe/cwe-1275
  */
 
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 
-predicate hasProblem(Http::Server::CookieWrite cookie, string alert, int idx) {
-  cookie.hasSecureFlag(false) and
-  alert = "Secure" and
-  idx = 0
-  or
-  cookie.hasHttpOnlyFlag(false) and
-  alert = "HttpOnly" and
-  idx = 1
-  or
-  cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v)) and
-  alert = "SameSite" and
-  idx = 2
-}
-
-predicate hasAlert(Http::Server::CookieWrite cookie, string alert) {
-  exists(int numProblems | numProblems = strictcount(string p | hasProblem(cookie, p, _)) |
-    numProblems = 1 and
-    alert = any(string prob | hasProblem(cookie, prob, _)) + " attribute"
-    or
-    numProblems = 2 and
-    alert =
-      strictconcat(string prob, int idx | hasProblem(cookie, prob, idx) | prob, " and " order by idx)
-        + " attributes"
-    or
-    numProblems = 3 and
-    alert = "Secure, HttpOnly, and SameSite attributes"
-  )
-}
-
-from Http::Server::CookieWrite cookie, string alert
-where hasAlert(cookie, alert)
-select cookie, "Cookie is added without the " + alert + " properly set."
+from Http::Server::CookieWrite cookie
+where cookie.hasSecureFlag(false)
+select cookie, "Cookie is added without the Secure attribute properly set."
