C#: Add a copy of all experimental query tests (as is).

Author: michaelnebel

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.expected

@@ -0,0 +1,2 @@
+| Program.cs:13:33:13:37 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:20:39:20:43 | false | Cookie attribute 'HttpOnly' is not set to true. |

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.qlref

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/Program.cs

@@ -0,0 +1,23 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Authentication;
+
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.AddAuthentication().AddCookie(o =>
+        {
+            o.Cookie.HttpOnly = false;
+            o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+        });
+
+        services.AddSession(options =>
+        {
+            options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+            options.Cookie.HttpOnly = false;
+        });
+    }
+}

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.expected

@@ -0,0 +1,4 @@
+| Program.cs:25:34:25:38 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:38:88:38:92 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:61:34:61:34 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:68:88:68:88 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.qlref

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/Program.cs

@@ -0,0 +1,71 @@
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDelete()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Delete("auth", cookieOptions); // GOOD: Delete call
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = true;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = true };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectFalse()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = false;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieDirectFalseForgery()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = false;
+        Response.Cookies.Append("antiforgerytoken", "secret", cookieOptions); // GOOD: not an auth cookie
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = true;
+        cookieOptions.HttpOnly = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateFalse()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = false;
+        cookieOptions.HttpOnly = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieIntermediateFalseInitializer()
+    {
+        bool v = false;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+}

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.expected

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref

@@ -0,0 +1,37 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = false;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in callback
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy();
+    }
+
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
+        });
+    }
+
+    private void SetCookies(CookieOptions options)
+    {
+        options.Secure = true;
+        options.HttpOnly = true;
+    }
+}

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/Program.cs

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj

csharp/test/security/CWE-1004/CookieHttpOnlyFalseAspNetCore/options

@@ -0,0 +1,4 @@
+| Program.cs:23:27:23:31 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:28:74:28:78 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:48:27:48:27 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:54:74:54:74 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |

csharp/test/security/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.expected

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

csharp/test/security/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.qlref

@@ -0,0 +1,56 @@
+class Program
+{
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        cookie.HttpOnly = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
+    }
+
+    void CookieForgeryDirectFalse()
+    {
+        var cookie = new System.Web.HttpCookie("antiforgerytoken");
+        cookie.HttpOnly = false; // GOOD: not an auth cookie
+    }
+
+    void CookieDirectFalse()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        cookie.HttpOnly = false; // BAD
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false }; // BAD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        bool v = true;
+        cookie.HttpOnly = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateFalse()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        bool v = false;
+        cookie.HttpOnly = v; // BAD
+    }
+
+    void CookieIntermediateFalseInitializer()
+    {
+        bool v = false;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // BAD
+    }
+}

csharp/test/security/CWE-1004/CookieHttpOnlyFalseSystemWeb/Program.cs

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies />
+  </system.web>
+</configuration>

csharp/test/security/CWE-1004/CookieHttpOnlyFalseSystemWeb/Web.config

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs

csharp/test/security/CWE-1004/CookieHttpOnlyFalseSystemWeb/options

@@ -0,0 +1,2 @@
+| Program.cs:5:9:5:49 | call to method Append | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:15:29:15:73 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.expected

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.qlref

@@ -0,0 +1,52 @@
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // BAD: HttpOnly is set to false by default
+    }
+
+    public void CookieDefaultForgery()
+    {
+        Response.Cookies.Append("antiforgerytoken", "secret"); // GOOD: not an auth cookie
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD: HttpOnly is set to false by default
+    }
+
+    public void CookieDelete()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Delete("auth", cookieOptions); // GOOD: Delete call
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = true;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = true };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = true;
+        cookieOptions.HttpOnly = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+}

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/Program.cs

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.expected

@@ -0,0 +1,25 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // GOOD: HttpOnly is set in policy
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in policy
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy(new CookiePolicyOptions() { HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always});
+    }
+}

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.qlref

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/Program.cs

@@ -0,0 +1,36 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in callback
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy();
+    }
+
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
+        });
+    }
+
+    private void SetCookies(CookieOptions options)
+    {
+        options.Secure = true;
+        options.HttpOnly = true;
+    }
+}

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.expected

@@ -0,0 +1,2 @@
+| Program.cs:8:9:8:49 | call to method Append | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:13:29:13:73 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/Program.cs

@@ -0,0 +1,25 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // Bad: HttpOnly policy set to None
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // Bad: HttpOnly policy set to None
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy(new CookiePolicyOptions() { HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None });
+    }
+}

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.expected

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.qlref

@@ -0,0 +1 @@
+| Program.cs:5:22:5:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |

csharp/test/security/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/Program.cs

@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql