github · joefarebrother · Oct 24, 2025 · Sep 18, 2025 · Sep 19, 2025 · Sep 19, 2025
@@ -0,0 +1,19 @@
+/**
+ * @name Cookie missing `HttpOnly` attribute.
+ * @description Cookies without the `HttpOnly` attribute set can be accessed by JS scripts, making them more vulnerable to XSS attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id py/client-exposed-cookie
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.Concepts
+
+from Http::Server::CookieWrite cookie
+where cookie.hasHttpOnlyFlag(false)
+select cookie, "Cookie is added without the HttpOnly attribute properly set."
diff --git a/python/ql/src/Security/CWE-1004/NotHttpOnlyCookie.qhelp b/python/ql/src/Security/CWE-1004/NotHttpOnlyCookie.qhelp
@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies without the <code>HttpOnly</code> flag set are accessible to JavaScript running in the same origin. 
+In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
+If a cookie does not need to be accessed directly by client-side JS, the <code>HttpOnly</code> flag should be set.</p>
+</overview>
+
+<recommendation>
+<p>Set <code>httponly</code> to <code>True</code>, or add <code>; HttpOnly;</code> to the cookie's raw header value, to ensure that the cookie is not accessible via JavaScript.</p>
+</recommendation>
+
+<example>
+<p>In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.</p>
+<sample src="examples/InsecureCookie.py" />
+</example>
+
+<references>
+<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set">Cookie without HttpOnly flag set</a></li>
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
+</references>
+
+</qhelp>
@@ -0,0 +1,21 @@
+from flask import Flask, request, make_response, Response
+
+
+@app.route("/good1")
+def good1():
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
+    return resp
+
+
+@app.route("/good2")
+def good2():
+    resp = make_response()
+    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
+    return resp
+
+@app.route("/bad1")
+def bad1():
+    resp = make_response()
+    resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
+    return resp
@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies with the <code>SameSite</code> attribute set to <code>'None'</code> will be sent with cross-origin requests. 
+This can sometimes allow for Cross-Site Request Forgery (CSRF) attacks, in which a third-party site could perform actions on behalf of a user.</p>
+</overview>
+
+<recommendation>
+<p>Set the <code>samesite</code> to <code>Lax</code> or <code>Strict</code>, or add <code>; SameSite=Lax;</code>, or
+<code>; SameSite=Strict;</code> to the cookie's raw header value. The default value in most cases is <code>Lax</code>.</p>
+</recommendation>
+
+<example>
+<p>In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.</p>
+<sample src="examples/InsecureCookie.py" />
+</example>
+
+<references>
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
+<li>OWASP: <a href="https://owasp.org/www-community/SameSite">SameSite</a>.</li>
+</references>
+
+</qhelp>
@@ -0,0 +1,19 @@
+/**
+ * @name Cookie with `SameSite` attribute set to `None`.
+ * @description Cookies with `SameSite` set to `None` can allow for Cross-Site Request Forgery (CSRF) attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 3.5
+ * @precision high
+ * @id py/samesite-none-cookie
+ * @tags security
+ *       external/cwe/cwe-1275
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.Concepts
+
+from Http::Server::CookieWrite cookie
+where cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v))
+select cookie, "Cookie is added with the SameSite attribute set to None."
@@ -0,0 +1,21 @@
+from flask import Flask, request, make_response, Response
+
+
+@app.route("/good1")
+def good1():
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
+    return resp
+
+
+@app.route("/good2")
+def good2():
+    resp = make_response()
+    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
+    return resp
+
+@app.route("/bad1")
+def bad1():
+    resp = make_response()
+    resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
+    return resp
@@ -4,26 +4,25 @@
 <qhelp>
 
 <overview>
-<p>Cookies without the <code>Secure</code> flag set may be transmitted using HTTP instead of HTTPS, which leaves them vulnerable to reading by a third party.</p>
-<p>Cookies without the <code>HttpOnly</code> flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.</p>
-<p>Cookies with the <code>SameSite</code> attribute set to <code>'None'</code> will be sent with cross-origin requests, which can be controlled by third-party JavaScript code and allow for Cross-Site Request Forgery (CSRF) attacks.</p>
+<p>Cookies without the <code>Secure</code> flag set may be transmitted using HTTP instead of HTTPS.
+This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session
+key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.</p>
 </overview>
 
 <recommendation>
-<p>Always set <code>secure</code> to <code>True</code> or add "; Secure;" to the cookie's raw value.</p>
-<p>Always set <code>httponly</code> to <code>True</code> or add "; HttpOnly;" to the cookie's raw value.</p>
-<p>Always set <code>samesite</code> to <code>Lax</code> or <code>Strict</code>, or add "; SameSite=Lax;", or
-"; Samesite=Strict;" to the cookie's raw header value.</p>
+<p>Always set <code>secure</code> to <code>True</code>, or add <code>; Secure;</code> to the cookie's raw header value, to ensure SSL is used to transmit the cookie
+with encryption.</p>
 </recommendation>
 
 <example>
-<p>In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the cases marked BAD they are not set.</p>
+<p>In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.</p>
 <sample src="examples/InsecureCookie.py" />
 </example>
 
 <references>
 <li>Detectify: <a href="https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag">Cookie lack Secure flag</a>.</li>
 <li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set">TLS cookie without secure flag set</a>.</li>
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
 </references>
 
 </qhelp>
@@ -9,43 +9,12 @@
  * @id py/insecure-cookie
  * @tags security
  *       external/cwe/cwe-614
- *       external/cwe/cwe-1004
- *       external/cwe/cwe-1275
  */
 
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 
-predicate hasProblem(Http::Server::CookieWrite cookie, string alert, int idx) {
-  cookie.hasSecureFlag(false) and
-  alert = "Secure" and
-  idx = 0
-  or
-  cookie.hasHttpOnlyFlag(false) and
-  alert = "HttpOnly" and
-  idx = 1
-  or
-  cookie.hasSameSiteAttribute(any(Http::Server::CookieWrite::SameSiteNone v)) and
-  alert = "SameSite" and
-  idx = 2
-}
-
-predicate hasAlert(Http::Server::CookieWrite cookie, string alert) {
-  exists(int numProblems | numProblems = strictcount(string p | hasProblem(cookie, p, _)) |
-    numProblems = 1 and
-    alert = any(string prob | hasProblem(cookie, prob, _)) + " attribute"
-    or
-    numProblems = 2 and
-    alert =
-      strictconcat(string prob, int idx | hasProblem(cookie, prob, idx) | prob, " and " order by idx)
-        + " attributes"
-    or
-    numProblems = 3 and
-    alert = "Secure, HttpOnly, and SameSite attributes"
-  )
-}
-
-from Http::Server::CookieWrite cookie, string alert
-where hasAlert(cookie, alert)
-select cookie, "Cookie is added without the " + alert + " properly set."
+from Http::Server::CookieWrite cookie
+where cookie.hasSecureFlag(false)
+select cookie, "Cookie is added without the Secure attribute properly set."
@@ -15,6 +15,7 @@ def good2():
     return resp
 
 @app.route("/bad1")
+def bad1():
     resp = make_response()
     resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
     return resp
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `py/insecure-cookie` query has been split into multiple queries; with `py/insecure-cookie` checking for cases in which `Secure` flag is not set, `py/client-exposed-cookie` checking for cases in which the `HttpOnly` flag is not set, and the `py/samesite-none` query checking for cases in which the `SameSite` attribute is set to `None`. 
@@ -0,0 +1,7 @@
+| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:9:5:9:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:14:5:14:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
@@ -0,0 +1,2 @@
+query: Security/CWE-1004/NonHttpOnlyCookie.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -0,0 +1,18 @@
+from flask import Flask, request, make_response
+
+app = Flask(__name__)
+
+@app.route("/test")
+def test():
+    resp = make_response()
+    resp.set_cookie("key1", "value1") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", secure=True) # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", httponly=True) 
+    resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", secure=True, samesite="Strict") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") 
+    resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/client-exposed-cookie]
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None") 
+    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
@@ -0,0 +1,3 @@
+| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
+| test.py:16:5:16:67 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
+| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added with the SameSite attribute set to None. |
@@ -0,0 +1,2 @@
+query: Security/CWE-1275/SameSiteNoneCookie.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -0,0 +1,18 @@
+from flask import Flask, request, make_response
+
+app = Flask(__name__)
+
+@app.route("/test")
+def test():
+    resp = make_response()
+    resp.set_cookie("key1", "value1") 
+    resp.set_cookie("key2", "value2", secure=True) 
+    resp.set_cookie("key2", "value2", httponly=True) 
+    resp.set_cookie("key2", "value2", samesite="Strict") 
+    resp.set_cookie("key2", "value2", samesite="Lax") 
+    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/samesite-none-cookie]
+    resp.set_cookie("key2", "value2", secure=True, samesite="Strict") 
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") 
+    resp.set_cookie("key2", "value2", secure=True, samesite="None") # $Alert[py/samesite-none-cookie]
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/samesite-none-cookie]
+    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
@@ -1,10 +1,7 @@
-| test.py:10:5:10:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
-| test.py:11:5:11:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:12:5:12:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:13:5:13:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
-| test.py:14:5:14:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
-| test.py:15:5:15:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure, HttpOnly, and SameSite attributes properly set. |
-| test.py:16:5:16:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
-| test.py:17:5:17:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
-| test.py:18:5:18:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly and SameSite attributes properly set. |
-| test.py:19:5:19:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure and SameSite attributes properly set. |
+| test.py:8:5:8:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:10:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:11:5:11:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:12:5:12:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:13:5:13:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:15:5:15:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:17:5:17:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
@@ -1 +1,2 @@
-Security/CWE-614/InsecureCookie.ql
+query: Security/CWE-614/InsecureCookie.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -1,20 +1,18 @@
 from flask import Flask, request, make_response
-import lxml.etree
-import markupsafe
 
 app = Flask(__name__)
 
 @app.route("/test")
 def test():
     resp = make_response()
-    resp.set_cookie("key1", "value1")
-    resp.set_cookie("key2", "value2", secure=True)
-    resp.set_cookie("key2", "value2", httponly=True)
-    resp.set_cookie("key2", "value2", samesite="Strict")
-    resp.set_cookie("key2", "value2", samesite="Lax")
-    resp.set_cookie("key2", "value2", samesite="None")
+    resp.set_cookie("key1", "value1") # $Alert[py/insecure-cookie]
+    resp.set_cookie("key2", "value2", secure=True) 
+    resp.set_cookie("key2", "value2", httponly=True) # $Alert[py/insecure-cookie]
+    resp.set_cookie("key2", "value2", samesite="Strict") # $Alert[py/insecure-cookie]
+    resp.set_cookie("key2", "value2", samesite="Lax") # $Alert[py/insecure-cookie]
+    resp.set_cookie("key2", "value2", samesite="None") # $Alert[py/insecure-cookie]
     resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
-    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict") # $Alert[py/insecure-cookie]
     resp.set_cookie("key2", "value2", secure=True, samesite="None")
-    resp.set_cookie("key2", "value2", httponly=True, samesite="None")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None") # $Alert[py/insecure-cookie]
     resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		query: Security/CWE-1004/NonHttpOnlyCookie.ql
		postprocess: utils/test/InlineExpectationsTestQuery.ql
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		query: Security/CWE-1275/SameSiteNoneCookie.ql
		postprocess: utils/test/InlineExpectationsTestQuery.ql