[Draft] Python: Split Insecure Cookie query into multiple queries #20494

joefarebrother · 2025-09-19T14:32:45Z

Splits the py/insecure-cookie query into py/insecure-cookie, py/client-exposed-cookie, and py/samesite-none-cookie.
This is closer to how these queries are handled in JS with js/clear-text-cookie, js/client-exposed-cookie, and js/samesite-none-cookie queries.

Copilot

Pull Request Overview

This PR splits the existing py/insecure-cookie query into three separate, more focused queries to better align with JavaScript's cookie security query structure. The original query checked for multiple cookie security attributes in a single query, while the new approach separates concerns into distinct queries.

Refactors py/insecure-cookie to only check for missing Secure attribute
Creates new py/client-exposed-cookie query for missing HttpOnly attribute
Creates new py/samesite-none-cookie query for SameSite=None attribute issues

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
`python/ql/src/Security/CWE-614/InsecureCookie.ql`	Simplified to only check for missing Secure attribute
`python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.ql`	New query for missing HttpOnly attribute
`python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql`	New query for SameSite=None issues
`python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py`	Updated test with inline expectations for new query behavior
`python/ql/src/change-notes/2025-09-19-insecure-cookie.md`	Documents the query split changes

Comments suppressed due to low confidence (2)

python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.ql

+from Http::Server::CookieWrite cookie
+where cookie.hasHttpOnlyFlag(false)
+select cookie, "Cookie is added without the HttpOnly attribute properly set."


python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql

+from Http::Server::CookieWrite cookie
+where cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v))
+select cookie, "Cookie is added with the SameSite attribute set to None."


python/ql/src/Security/CWE-614/InsecureCookie.ql

+from Http::Server::CookieWrite cookie
+where cookie.hasSecureFlag(false)
+select cookie, "Cookie is added without the Secure attribute properly set."


joefarebrother added 4 commits September 18, 2025 13:34

Split insecure cookies queries into 3 queries

7eabed6

Update qhelp

04316d3

Split test cases for insecure cookie queries

2e95c2b

Add changenote

a9a258e

joefarebrother requested a review from a team as a code owner September 19, 2025 14:32

Copilot AI review requested due to automatic review settings September 19, 2025 14:32

github-actions bot added documentation Python labels Sep 19, 2025

Copilot AI reviewed Sep 19, 2025

View reviewed changes

github-advanced-security bot found potential problems Sep 19, 2025

View reviewed changes

joefarebrother marked this pull request as draft September 19, 2025 21:41

joefarebrother changed the title ~~Python: Split Insecure Cookie query into multiple queries~~ [Draft] Python: Split Insecure Cookie query into multiple queries Sep 19, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Draft] Python: Split Insecure Cookie query into multiple queries #20494

[Draft] Python: Split Insecure Cookie query into multiple queries #20494

joefarebrother commented Sep 19, 2025

Uh oh!

Copilot AI left a comment

Uh oh!

Check warning

Check warning

Check warning

Uh oh!

[Draft] Python: Split Insecure Cookie query into multiple queries #20494

Are you sure you want to change the base?

[Draft] Python: Split Insecure Cookie query into multiple queries #20494

Conversation

joefarebrother commented Sep 19, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Check warning

Check warning

Check warning

Uh oh!