Python: Add cookie security-related queries

[jorgectf]

This PR adds:

• Modeling of:

• • Adding cookies in flask.
• • Adding cookies in django.

• Queries:

• • Cookie without (secure|httponly|samesite) flag properly set.
• • Cookie constructed from user-supplied input.

[RasmusWL]

I have not looked at this PR in depth, but just noted that this deals with setting cookies in HTTP responses. Would be great if you could integrate this with the existing HTTP::Server::CookieWrite concept implemented here:

codeql/python/ql/lib/semmle/python/Concepts.qll

Lines 759 to 784 in d97b130

	/**
	* A data-flow node that sets a cookie in an HTTP response.
	*
	* Extend this class to refine existing API models. If you want to model new APIs,
	* extend `HTTP::CookieWrite::Range` instead.
	*/
	class CookieWrite extends DataFlow::Node {
	CookieWrite::Range range;
	CookieWrite() { this = range }
	/**
	* Gets the argument, if any, specifying the raw cookie header.
	*/
	DataFlow::Node getHeaderArg() { result = range.getHeaderArg() }
	/**
	* Gets the argument, if any, specifying the cookie name.
	*/
	DataFlow::Node getNameArg() { result = range.getNameArg() }
	/**
	* Gets the argument, if any, specifying the cookie value.
	*/
	DataFlow::Node getValueArg() { result = range.getValueArg() }
	}

You can do this by creating your own experimental concepts that extend the existing concept, for an exmaple, see

codeql/python/ql/lib/semmle/python/Concepts.qll

Lines 75 to 106 in 85f00fd

	/**
	* A data flow node that writes data to the file system access.
	*
	* Extend this class to refine existing API models. If you want to model new APIs,
	* extend `FileSystemWriteAccess::Range` instead.
	*/
	class FileSystemWriteAccess extends FileSystemAccess {
	override FileSystemWriteAccess::Range range;
	/**
	* Gets a node that represents data to be written to the file system (possibly with
	* some transformation happening before it is written, like JSON encoding).
	*/
	DataFlow::Node getADataNode() { result = range.getADataNode() }
	}
	/** Provides a class for modeling new file system writes. */
	module FileSystemWriteAccess {
	/**
	* A data flow node that writes data to the file system access.
	*
	* Extend this class to model new APIs. If you want to refine existing API models,
	* extend `FileSystemWriteAccess` instead.
	*/
	abstract class Range extends FileSystemAccess::Range {
	/**
	* Gets a node that represents data to be written to the file system (possibly with
	* some transformation happening before it is written, like JSON encoding).
	*/
	abstract DataFlow::Node getADataNode();
	}
	}

I would base my modeling in Django/Flask on the existing modeling (that is, copy-paste it), such that it is easy to just override the existing modeling when promoting this query 👍

[jorgectf]

I haven't been able to find any CVE for this specific security issue, so the bounty submission has been closed.

[RasmusWL]

Thanks for the update @jorgectf. Will take a look on this PR soon 👍

[github-advanced-security]

Found 5 vulnerabilities.

[RasmusWL]

I took forever to review this, sorry 😬

For reference when promoting this, JS adopted an approach with multiple queries for each of these flags, so we should consider doing the same

• js/samesite-none-cookie (precision medium)
• js/client-exposed-cookie (precision high) -- for httpOnly flag
• js/clear-text-cookie (precision high) -- for 'secure' flag

See #6855 and #7721

I also think we need to review how bad CookieInjection really is. My thoughts without reading up on this at all is that it should be a @precision medium query -- a user can always set cookies on their own machine, so this is only a problem when a third-party attacker can set a cookie on a victim machine, meaning some cookie writing request without CSRF protection... but my intuition might be wrong 🤷