-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathCookieWithoutSecure.ql
More file actions
113 lines (103 loc) · 3.4 KB
/
CookieWithoutSecure.ql
File metadata and controls
113 lines (103 loc) · 3.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
/**
* @name Cookie 'Secure' attribute is not set to true
* @description Cookies without the `Secure` flag may be sent in cleartext.
* This makes them vulnerable to be intercepted by an attacker.
* @kind problem
* @problem.severity error
* @security-severity 5.0
* @precision high
* @id cs/web/cookie-secure-not-set
* @tags security
* external/cwe/cwe-319
* external/cwe/cwe-614
*/
import csharp
import semmle.code.asp.WebConfig
import semmle.code.csharp.frameworks.system.Web
import semmle.code.csharp.frameworks.microsoft.AspNetCore
import semmle.code.csharp.security.auth.SecureCookies
predicate cookieAppendSecureByDefault() {
// default is set to `Always` or `SameAsRequest`
(
getAValueForCookiePolicyProp("Secure").getValue() = "0" or
getAValueForCookiePolicyProp("Secure").getValue() = "1"
)
or
//callback `OnAppendCookie` that sets `Secure` to true
OnAppendCookieSecureTracking::flowTo(_)
}
predicate secureFalse(ObjectCreation oc) {
exists(Assignment a |
getAValueForProp(oc, a, "Secure") = a.getRightOperand() and
a.getRightOperand().getValue() = "false"
)
}
predicate secureFalseOrNotSet(ObjectCreation oc) {
secureFalse(oc)
or
not isPropertySet(oc, "Secure")
}
predicate insecureCookieOptionsCreation(ObjectCreation oc) {
// `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
secureFalseOrNotSet(oc) and
CookieOptionsTracking::flowFromExpr(oc)
}
predicate insecureCookieAppend(Expr sink) {
// IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
mc = sink and
iResponse.getAppendMethod() = mc.getTarget() and
mc.getNumberOfArguments() < 3 and
mc.getTarget().getParameter(0).getType() instanceof StringType
)
}
predicate insecureSystemWebCookieCreation(ObjectCreation oc) {
oc.getType() instanceof SystemWebHttpCookie and
(
secureFalse(oc)
or
// `Secure` property in `System.Web.HttpCookie` wasn't set, so a default value from config is used
not isPropertySet(oc, "Secure") and
// the default in config is not set to `true`
not exists(XmlElement element |
element instanceof FormsElement and
element.(FormsElement).isRequireSsl()
or
element instanceof HttpCookiesElement and
element.(HttpCookiesElement).isRequireSsl()
)
)
}
predicate insecureCookieCall(Call c) {
not cookieAppendSecureByDefault() and
(
insecureCookieOptionsCreation(c)
or
insecureCookieAppend(c)
)
or
insecureSystemWebCookieCreation(c)
}
predicate insecureSecurePolicyAssignment(Assignment a, Expr val) {
exists(PropertyWrite pw |
(
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
pw.getProperty().getDeclaringType() instanceof
MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
) and
pw.getProperty().getName() = "SecurePolicy" and
a.getLeftOperand() = pw and
DataFlow::localExprFlow(val, a.getRightOperand()) and
val.getValue() = "2" // None
)
}
from Expr secureSink
where
insecureCookieCall(secureSink)
or
exists(Assignment a |
secureSink = a.getRightOperand() and
insecureSecurePolicyAssignment(a, _)
)
select secureSink, "Cookie attribute 'Secure' is not set to true."