@@ -26,9 +26,9 @@ module Cookie {
2626 abstract DataFlow:: Node getCookieOptionsArgument ( ) ;
2727
2828 /**
29- * Predicate that determines if a cookie is insecure .
29+ * Holds if this cookie is secure .
3030 */
31- abstract predicate isInsecure ( ) ;
31+ abstract predicate isSecure ( ) ;
3232 }
3333
3434 /**
@@ -43,9 +43,10 @@ module Cookie {
4343 result = this .getCookieOptionsArgument ( ) .getAPropertyWrite ( flag ) .getRhs ( )
4444 }
4545
46- override predicate isInsecure ( ) {
47- // A cookie is insecure if the `secure` flag is explicitly set to `false`.
48- getCookieFlagValue ( flag ( ) ) .mayHaveBooleanValue ( false )
46+ override predicate isSecure ( ) {
47+ // The flag `secure` is set to `false` by default for HTTP, `true` by default for HTTPS (https://github.com/expressjs/cookie-session#cookie-options).
48+ // A cookie is secure if the `secure` flag is not explicitly set to `false`.
49+ not getCookieFlagValue ( flag ( ) ) .mayHaveBooleanValue ( false )
4950 }
5051 }
5152
@@ -62,10 +63,12 @@ module Cookie {
6263 result = this .getCookieOptionsArgument ( ) .getAPropertyWrite ( flag ) .getRhs ( )
6364 }
6465
65- override predicate isInsecure ( ) {
66- // A cookie is insecure if there are not cookie options with the `secure` flag set to `true`.
67- not getCookieFlagValue ( flag ( ) ) .mayHaveBooleanValue ( true ) and
68- not getCookieFlagValue ( flag ( ) ) .mayHaveStringValue ( "auto" )
66+ override predicate isSecure ( ) {
67+ // The flag `secure` is not set by default (https://github.com/expressjs/session#Cookieecure).
68+ // The default value for cookie options is { path: '/', httpOnly: true, secure: false, maxAge: null }.
69+ // A cookie is secure if there are the cookie options with the `secure` flag set to `true` or to `auto`.
70+ getCookieFlagValue ( flag ( ) ) .mayHaveBooleanValue ( true ) or
71+ getCookieFlagValue ( flag ( ) ) .mayHaveStringValue ( "auto" )
6972 }
7073 }
7174
@@ -87,9 +90,9 @@ module Cookie {
8790 result = this .getCookieOptionsArgument ( ) .getAPropertyWrite ( flag ) .getRhs ( )
8891 }
8992
90- override predicate isInsecure ( ) {
91- // A cookie is insecure if there are not cookie options with the `secure` flag set to `true`.
92- not getCookieFlagValue ( flag ( ) ) .mayHaveBooleanValue ( true )
93+ override predicate isSecure ( ) {
94+ // A cookie is secure if there are cookie options with the `secure` flag set to `true`.
95+ getCookieFlagValue ( flag ( ) ) .mayHaveBooleanValue ( true )
9396 }
9497 }
9598
@@ -107,9 +110,9 @@ module Cookie {
107110 result .asExpr ( ) = this .asExpr ( ) .( ArrayExpr ) .getAnElement ( )
108111 }
109112
110- override predicate isInsecure ( ) {
111- // A cookie is insecure if the 'secure' flag is not specified in the cookie definition.
112- not exists ( string s |
113+ override predicate isSecure ( ) {
114+ // A cookie is secure if the 'secure' flag is specified in the cookie definition.
115+ exists ( string s |
113116 getCookieOptionsArgument ( ) .mayHaveStringValue ( s ) and
114117 s .regexpMatch ( "(.*;)?\\s*secure.*" )
115118 )
@@ -129,16 +132,16 @@ module Cookie {
129132 override string getKind ( ) { result = "js-cookie" }
130133
131134 override DataFlow:: SourceNode getCookieOptionsArgument ( ) {
132- result = this .( DataFlow:: CallNode ) .getArgument ( 2 ) .getALocalSource ( )
135+ result = this .( DataFlow:: CallNode ) .getAnArgument ( ) .getALocalSource ( )
133136 }
134137
135138 DataFlow:: Node getCookieFlagValue ( string flag ) {
136139 result = this .getCookieOptionsArgument ( ) .getAPropertyWrite ( flag ) .getRhs ( )
137140 }
138141
139- override predicate isInsecure ( ) {
140- // A cookie is insecure if there are not cookie options with the `secure` flag set to `true`.
141- not getCookieFlagValue ( flag ( ) ) .mayHaveBooleanValue ( true )
142+ override predicate isSecure ( ) {
143+ // A cookie is secure if there are cookie options with the `secure` flag set to `true`.
144+ getCookieFlagValue ( flag ( ) ) .mayHaveBooleanValue ( true )
142145 }
143146 }
144147}
0 commit comments