Skip to content

Go: Promote non-httponly cookie query, and add insecure cookie query #20762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Go: Promote non-httponly cookie query, and add insecure cookie query #20762

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
79f1818
Implement cookie write concepts and httponly query
joefarebrother Nov 3, 2025
5c1db90
Fixes, add secure query
joefarebrother Nov 5, 2025
9ce5975
Add modeling for gin
joefarebrother Nov 5, 2025
533b633
Add tests
joefarebrother Nov 6, 2025
c7a8712
Fixes and doc updates
joefarebrother Nov 6, 2025
87bf748
Add qhelp & fix tests
joefarebrother Nov 9, 2025
c4e9b10
Remove experimental query
joefarebrother Nov 10, 2025
1c96aff
Update integration tests
joefarebrother Nov 10, 2025
999eff1
Add change note
joefarebrother Nov 10, 2025
4c18577
Update integration test
joefarebrother Nov 10, 2025
837aba8
Update formatting
joefarebrother Nov 10, 2025
a078a4e
Fix typos
joefarebrother Nov 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions go/ql/integration-tests/query-suite/go-code-scanning.qls.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
ql/go/ql/src/Security/CWE-089/StringBreak.ql
ql/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql
ql/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql
ql/go/ql/src/Security/CWE-209/StackTraceExposure.ql
ql/go/ql/src/Security/CWE-295/DisabledCertificateCheck.ql
Expand All @@ -24,6 +25,7 @@ ql/go/ql/src/Security/CWE-347/MissingJwtSignatureCheck.ql
ql/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
ql/go/ql/src/Security/CWE-601/BadRedirectCheck.ql
ql/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql
ql/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql
ql/go/ql/src/Security/CWE-640/EmailInjection.ql
ql/go/ql/src/Security/CWE-643/XPathInjection.ql
ql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql
Expand Down
2 changes: 2 additions & 0 deletions go/ql/integration-tests/query-suite/go-security-and-quality.qls.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
ql/go/ql/src/Security/CWE-089/StringBreak.ql
ql/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql
ql/go/ql/src/Security/CWE-117/LogInjection.ql
ql/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql
ql/go/ql/src/Security/CWE-209/StackTraceExposure.ql
Expand All @@ -47,6 +48,7 @@ ql/go/ql/src/Security/CWE-347/MissingJwtSignatureCheck.ql
ql/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
ql/go/ql/src/Security/CWE-601/BadRedirectCheck.ql
ql/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql
ql/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql
ql/go/ql/src/Security/CWE-640/EmailInjection.ql
ql/go/ql/src/Security/CWE-643/XPathInjection.ql
ql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql
Expand Down
2 changes: 2 additions & 0 deletions go/ql/integration-tests/query-suite/go-security-extended.qls.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
ql/go/ql/src/Security/CWE-089/StringBreak.ql
ql/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql
ql/go/ql/src/Security/CWE-117/LogInjection.ql
ql/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql
ql/go/ql/src/Security/CWE-209/StackTraceExposure.ql
Expand All @@ -25,6 +26,7 @@ ql/go/ql/src/Security/CWE-347/MissingJwtSignatureCheck.ql
ql/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
ql/go/ql/src/Security/CWE-601/BadRedirectCheck.ql
ql/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql
ql/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql
ql/go/ql/src/Security/CWE-640/EmailInjection.ql
ql/go/ql/src/Security/CWE-643/XPathInjection.ql
ql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql
Expand Down
1 change: 0 additions & 1 deletion go/ql/integration-tests/query-suite/not_included_in_qls.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ ql/go/ql/src/Security/CWE-079/StoredXss.ql
ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
ql/go/ql/src/definitions.ql
ql/go/ql/src/experimental/CWE-090/LDAPInjection.ql
ql/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
ql/go/ql/src/experimental/CWE-203/Timing.ql
ql/go/ql/src/experimental/CWE-285/PamAuthBypass.ql
ql/go/ql/src/experimental/CWE-287/ImproperLdapAuth.ql
Expand Down
1 change: 1 addition & 0 deletions go/ql/lib/go.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import semmle.go.frameworks.ElazarlGoproxy
import semmle.go.frameworks.Email
import semmle.go.frameworks.Encoding
import semmle.go.frameworks.Fasthttp
import semmle.go.frameworks.Gin
import semmle.go.frameworks.GinCors
import semmle.go.frameworks.Glog
import semmle.go.frameworks.GoJose
Expand Down
92 changes: 92 additions & 0 deletions go/ql/lib/semmle/go/concepts/HTTP.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -380,4 +380,96 @@ module Http {
/** Gets a node that is used in a check that is tested before this handler is run. */
predicate guardedBy(DataFlow::Node check) { super.guardedBy(check) }
}

/** Provides a class for modeling HTTP response cookie writes. */
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/** Provides a class for modeling HTTP response cookie writes. */
/** Provides a class for modeling new HTTP response cookie write APIs. */

module CookieWrite {
/**
* A write of an HTTP Cookie to an HTTP response.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `HTTP::CookieWrite` instead.
*/
abstract class Range extends DataFlow::Node {
/** Gets the name of the cookie written. */
abstract DataFlow::Node getName();

/** Gets the value of the cookie written. */
abstract DataFlow::Node getValue();

/** Gets the `Secure` attribute of the cookie written. */
abstract DataFlow::Node getSecure();

/** Gets the `HttpOnly` attribute of the cookie written. */
abstract DataFlow::Node getHttpOnly();
}
}

/**
* A write of an HTTP Cookie to an HTTP response.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `HTTP::CookieWrite::Range` instead.
*/
class CookieWrite extends DataFlow::Node instanceof CookieWrite::Range {
/** Gets the name of the cookie written. */
DataFlow::Node getName() { result = super.getName() }

/** Gets the value of the cookie written. */
DataFlow::Node getValue() { result = super.getValue() }

/** Gets the `Secure` attribute of the cookie written. */
DataFlow::Node getSecure() { result = super.getSecure() }

/** Gets the `HttpOnly` attribute of the cookie written. */
DataFlow::Node getHttpOnly() { result = super.getHttpOnly() }
}

/** Provides a class for modeling the options of an HTTP cookie. */
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/** Provides a class for modeling the options of an HTTP cookie. */
/** Provides a class for modeling new APIs for the options of an HTTP cookie. */

module CookieOptions {
/**
* An HTTP Cookie object.
Comment on lines +428 to +430
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The class name doesn't really match the QLDoc, and I think they're both wrong. It isn't a cookie object, or the options of a cookie. The only class extending it is NetHttp::CookieFieldWrite. I think it is a node which sets an option of a cookie, so maybe CookieOptionWrite?

*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `HTTP::CookieOptions` instead.
*/
abstract class Range extends DataFlow::Node {
/** Gets the node representing the cookie object for the options being set. */
abstract DataFlow::Node getCookieOutput();

/** Gets the name of the cookie represented. */
abstract DataFlow::Node getName();

/** Gets the value of the cookie represented. */
abstract DataFlow::Node getValue();

/** Gets the `Secure` attribute of the cookie represented. */
abstract DataFlow::Node getSecure();

/** Gets the `HttpOnly` attribute of the cookie represented. */
abstract DataFlow::Node getHttpOnly();
}
}

/**
* An HTTP Cookie.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `HTTP::CookieOptions::Range` instead.
*/
class CookieOptions extends DataFlow::Node instanceof CookieOptions::Range {
/** Gets the node representing the cookie object for the options being set. */
DataFlow::Node getCookieOutput() { result = super.getCookieOutput() }

/** Gets the name of the cookie represented. */
DataFlow::Node getName() { result = super.getName() }

/** Gets the value of the cookie represented. */
DataFlow::Node getValue() { result = super.getValue() }

/** Gets the `Secure` attribute of the cookie represented. */
DataFlow::Node getSecure() { result = super.getSecure() }

/** Gets the `HttpOnly` attribute of the cookie represented. */
DataFlow::Node getHttpOnly() { result = super.getHttpOnly() }
Comment on lines +463 to +473
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have I understood correctly that these won't always be defined? If so, add ", if any" to the end of the QLDocs for them. (Same in the Range class too.)

}
}
24 changes: 24 additions & 0 deletions go/ql/lib/semmle/go/frameworks/Gin.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
/**
* Provides classes for modeling the `github.com/gin-gonic/gin` package.
*/

import go
import semmle.go.concepts.HTTP

/** Provides models for the `gin-gonic/gin` package. */
module Gin {
/** Gets the package name `github.com/gin-gonic/gin`. */
string packagePath() { result = package("github.com/gin-gonic/gin", "") }

private class GinCookieWrite extends Http::CookieWrite::Range, DataFlow::MethodCallNode {
GinCookieWrite() { this.getTarget().hasQualifiedName(packagePath(), "Context", "SetCookie") }

override DataFlow::Node getName() { result = this.getArgument(0) }

override DataFlow::Node getValue() { result = this.getArgument(1) }

override DataFlow::Node getSecure() { result = this.getArgument(5) }

override DataFlow::Node getHttpOnly() { result = this.getArgument(6) }
}
}
34 changes: 34 additions & 0 deletions go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,4 +293,38 @@ module NetHttp {

override DataFlow::Node getAPathArgument() { result = this.getArgument(2) }
}

private class CookieWrite extends Http::CookieWrite::Range, DataFlow::CallNode {
CookieWrite() { this.getTarget().hasQualifiedName(package("net/http", ""), "SetCookie") }

override DataFlow::Node getName() { result = this.getArgument(1) }

override DataFlow::Node getValue() { result = this.getArgument(1) }

override DataFlow::Node getSecure() { result = this.getArgument(1) }

override DataFlow::Node getHttpOnly() { result = this.getArgument(1) }
}

private class CookieFieldWrite extends Http::CookieOptions::Range {
Write w;
Field f;
Comment on lines +310 to +311
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than storing these as fields, they should be introduced in the characteristic predicate using exists, since they aren't referenced by any of the member predicates.

DataFlow::Node written;
string fieldName;

CookieFieldWrite() {
f.hasQualifiedName(package("net/http", ""), "Cookie", fieldName) and
w.writesField(this, f, written)
}

override DataFlow::Node getCookieOutput() { result = this }

override DataFlow::Node getName() { fieldName = "Name" and result = written }

override DataFlow::Node getValue() { fieldName = "Value" and result = written }

override DataFlow::Node getSecure() { fieldName = "Secure" and result = written }

override DataFlow::Node getHttpOnly() { fieldName = "HttpOnly" and result = written }
}
}
108 changes: 108 additions & 0 deletions go/ql/lib/semmle/go/security/SecureCookies.qll
View file
Open in desktop
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's confusing having predicates for two different queries in this one file (which is then only named after one of the predicates). Unless there is a good reason to keep them together, please put them in two separate files, named CookieWithoutSecure.qll and CookieWithoutHttpOnly.qll, so it's clear which query they relate to. I think there isn't any shared code - there probably was before you put things into concepts/HTTP.qll.

Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
/** Provides classes and predicates for identifying HTTP cookies with insecure attributes. */

import go
import semmle.go.concepts.HTTP
import semmle.go.dataflow.DataFlow

/**
* Holds if the expression or its value has a sensitive name
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Holds if the expression or its value has a sensitive name
* Holds if the expression or its value has a sensitive name.

*/
private predicate isSensitiveExpr(Expr expr, string val) {
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The predicate name is confusing because in go/ql/lib/semmle/go/security/SensitiveActions.qll there is a class SensitiveExpr. A clearer name would be something like isSensitiveCookieName? But actually I think there is a better approach, which avoids having to come up with a clear name for it: make it an additional predicate in SensitiveCookieNameConfig with the signature isSource(Expr expr, string val) and then isSource(DataFlow::Node source) would just be isSource(source.asExpr(), _).

(
val = expr.getStringValue() or
val = expr.(Name).getTarget().getName()
) and
val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and
not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*")
}

private module SensitiveCookieNameConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { isSensitiveExpr(source.asExpr(), _) }

predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getName()) }
Copy link
Contributor

@owen-mc owen-mc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would be cleaner with an additional predicate isSink(DataFlow::Node sink, Http::CookieWrite cw) { sink = cw.getName() } and then isSink(DataFlow::Node sink) { isSink(sink, _) }. Then you can use the additional predicate in isSensitiveCookie


predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(Http::CookieOptions co | co.getName() = pred and co.getCookieOutput() = succ)
}
}

/** Tracks flow from sensitive names to HTTP cookie writes. */
module SensitiveCookieNameFlow = TaintTracking::Global<SensitiveCookieNameConfig>;

private module BooleanCookieSecureConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.getType().getUnderlyingType() instanceof BoolType
}

predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getSecure()) }

predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(Http::CookieOptions co | co.getSecure() = pred and co.getCookieOutput() = succ)
}
}

/** Tracks flow from boolean expressions to the `Secure` attribute of HTTP cookie writes. */
module BooleanCookieSecureFlow = TaintTracking::Global<BooleanCookieSecureConfig>;

private module BooleanCookieHttpOnlyConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.getType().getUnderlyingType() instanceof BoolType
}

predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getHttpOnly()) }

predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(Http::CookieOptions co | co.getHttpOnly() = pred and co.getCookieOutput() = succ)
}
}

/** Tracks flow from boolean expressions to the `HttpOnly` attribute of HTTP cookie writes. */
module BooleanCookieHttpOnlyFlow = TaintTracking::Global<BooleanCookieHttpOnlyConfig>;

/** Holds if `cw` has the `Secure` attribute left at its default value of `false`. */
predicate isInsecureDefault(Http::CookieWrite cw) {
not BooleanCookieSecureFlow::flow(_, cw.getSecure())
}

/** Holds if `cw` has the `Secure` attribute explicitly set to `false`, from the expression `boolFalse`. */
predicate isInsecureDirect(Http::CookieWrite cw, Expr boolFalse) {
BooleanCookieSecureFlow::flow(DataFlow::exprNode(boolFalse), cw.getSecure()) and
boolFalse.getBoolValue() = false
}

/** Holds if `cw` has the `Secure` attribute set to `false`, either explicitly or by default. */
predicate isInsecureCookie(Http::CookieWrite cw) {
isInsecureDefault(cw) or
isInsecureDirect(cw, _)
}

/** Holds if `cw` has the `HttpOnly` attribute left at its default value of `false`. */
predicate isNonHttpOnlyDefault(Http::CookieWrite cw) {
not BooleanCookieHttpOnlyFlow::flow(_, cw.getHttpOnly())
}

/** Holds if `cw` has the `HttpOnly` attribute explicitly set to `false`, from the expression `boolFalse`. */
predicate isNonHttpOnlyDirect(Http::CookieWrite cw, Expr boolFalse) {
BooleanCookieHttpOnlyFlow::flow(DataFlow::exprNode(boolFalse), cw.getHttpOnly()) and
boolFalse.getBoolValue() = false
}

/** Holds if `cw` has the `HttpOnly` attribute set to `false`, either explicitly or by default. */
predicate isNonHttpOnlyCookie(Http::CookieWrite cw) {
isNonHttpOnlyDefault(cw) or
isNonHttpOnlyDirect(cw, _)
}

/**
* Holds if `cw` has the sensitive name `name`, from the expression `nameExpr`.
* `source` and `sink` represent the data flow path from the sensitive name expression to the cookie write.
*/
predicate isSensitiveCookie(
Http::CookieWrite cw, Expr nameExpr, string name, SensitiveCookieNameFlow::PathNode source,
SensitiveCookieNameFlow::PathNode sink
) {
SensitiveCookieNameFlow::flowPath(source, sink) and
source.getNode().asExpr() = nameExpr and
sink.getNode() = cw.getName() and
isSensitiveExpr(nameExpr, name)
}
34 changes: 34 additions & 0 deletions go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>

<overview>
<p>Cookies without the <code>HttpOnly</code> flag set are accessible to client-side scripts such as JavaScript running in the same origin.
In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
If a sensitive cookie does not need to be accessed directly by client-side JS, the <code>HttpOnly</code> flag should be set.</p>
</overview>

<recommendation>
<p>
Set the <code>HttpOnly</code> flag to <code>true</code> for authentication cookies to ensure they are not accessible to client-side scripts.
</p>
</recommendation>

<example>
<p>
In the following example, in the case marked BAD, the <code>HttpOnly</code> flag is not set, so the default value of <code>false</code> is used.
In the case marked GOOD, the <code>HttpOnly</code> flag is set to <code>true</code>.
</p>
<sample src="examples/CookieWithoutHttpOnly.go"/>


</example>

<references>

<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header.</li>
<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set">Cookie without HttpOnly flag set</a></li>

</references>
</qhelp>
25 changes: 25 additions & 0 deletions go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/**
* @name Cookie 'HttpOnly' attribute is not set to true
* @description Sensitive cookies without the `HttpOnly` property set are accessible by client-side scripts such as JavaScript.
* This makes them more vulnerable to being stolen by an XSS attack.
* @kind path-problem
* @problem.severity warning
* @precision high
* @security-severity 5.0
* @id go/cookie-httponly-not-set
* @tags security
* external/cwe/cwe-1004
*/

import go
import semmle.go.security.SecureCookies
import SensitiveCookieNameFlow::PathGraph

from
Http::CookieWrite cw, Expr sensitiveNameExpr, string name,
SensitiveCookieNameFlow::PathNode source, SensitiveCookieNameFlow::PathNode sink
where
isSensitiveCookie(cw, sensitiveNameExpr, name, source, sink) and
isNonHttpOnlyCookie(cw)
select cw, source, sink, "Sensitive cookie $@ does not set HttpOnly attribute to true.",
sensitiveNameExpr, name
Loading