Rust: Add qhelp and examples.

geoffw0 · geoffw0 · commit bd07350bc399 · 2025-09-22T16:12:26.000+01:00
diff --git a/rust/ql/src/queries/security/CWE-614/InsecureCookie.qhelp b/rust/ql/src/queries/security/CWE-614/InsecureCookie.qhelp
@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Failing to set the 'Secure' attribute on a cookie allows it to be transmitted over an unencrypted (HTTP) connection. If an attacker can observe a user's network traffic (for example over an insecure Wi‑Fi network), they can access sensitive information in the cookie and potentially use it to impersonate the user.</p>
+
+</overview>
+<recommendation>
+
+<p>Always set the cookie 'Secure' attribute so that the browser only sends the cookie over HTTPS.</p>
+
+</recommendation>
+<example>
+
+<p>The following example creates a cookie using the <code>cookie</code> crate without the 'Secure' attribute:</p>
+
+<sample src="InsecureCookieBad.rs" />
+
+<p>In the fixed example, we either call <code>secure(true)</code> on the <code>CookieBuilder</code> or <code>set_secure(true)</code> on the <code>Cookie</code> itself:</p>
+
+<sample src="InsecureCookieGood.rs" />
+
+</example>
+<references>
+
+<li>MDN Web Docs: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies">Using HTTP cookies</a>.</li>
+<li>OWASP Cheat Sheet Series: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#transport-layer-security">Session Management Cheat Sheet - Transport Layer Security</a>.</li>
+<li>MDN Web Docs: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure">Set-Cookie header - Secure</a>.</li>
+
+</references>
+</qhelp>
diff --git a/rust/ql/src/queries/security/CWE-614/InsecureCookieBad.rs b/rust/ql/src/queries/security/CWE-614/InsecureCookieBad.rs
@@ -0,0 +1,6 @@
+use cookie::Cookie;
+
+// BAD: creating a cookie without specifying the `secure` attribute
+let cookie = Cookie::build("session", "abcd1234").build();
+let mut jar = cookie::CookieJar::new();
+jar.add(cookie.clone());
diff --git a/rust/ql/src/queries/security/CWE-614/InsecureCookieGood.rs b/rust/ql/src/queries/security/CWE-614/InsecureCookieGood.rs
@@ -0,0 +1,11 @@
+use cookie::Cookie;
+
+// GOOD: set the `CookieBuilder` 'Secure' attribute so that the cookie is only sent over HTTPS
+let secure_cookie = Cookie::build("session", "abcd1234").secure(true).build();
+let mut jar = cookie::CookieJar::new();
+jar.add(secure_cookie.clone());
+
+// GOOD: alternatively, set the 'Secure' attribute on an existing `Cookie`
+let mut secure_cookie2 = Cookie::new("session", "abcd1234");
+secure_cookie2.set_secure(true);
+jar.add(secure_cookie2);
