Skip to content

Go: Promote non-httponly cookie query, and add insecure cookie query #20762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Go: Promote non-httponly cookie query, and add insecure cookie query #20762

wants to merge 12 commits into from
+1,618 −1,074

Conversation

@joefarebrother
Copy link
Contributor

@joefarebrother joefarebrother commented Nov 5, 2025

Promotes go/cookie-httponly-not-set from experimental, and adds go/cookie-secure-not-set query.

@github-actions github-actions bot added the Go label Nov 5, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 5, 2025
View reviewed changes
@joefarebrother joefarebrother force-pushed the go-insecure-cookie branch 2 times, most recently from d00f670 to 2805a60 Compare November 10, 2025 09:31
@github-actions
Copy link
Contributor

github-actions bot commented Nov 10, 2025
edited
Loading

QHelp previews:

go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.qhelp

Cookie 'HttpOnly' attribute is not set to true

Cookies without the HttpOnly flag set are accessible to client-side scripts such as JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script. If a sensitive cookie does not need to be accessed directly by client-side JS, the HttpOnly flag should be set.

Recommendation

Set the HttpOnly flag to true for authentication cookies to ensure they are not accessible to client-side scripts.

Example

In the following example, in the case marked BAD, the HttpOnly flag is not set, so the default value of false is used. In the case marked GOOD, the HttpOnly flag is set to true.

package main

import (
	"net/http"
)

func handlerBad(w http.ResponseWriter, r *http.Request) {
	c := http.Cookie{
		Name:  "session",
		Value: "secret",
	}
	http.SetCookie(w, &c) // BAD: The HttpOnly flag is set to false by default.
}

func handlerGood(w http.ResponseWriter, r *http.Request) {
	c := http.Cookie{
		Name:     "session",
		Value:    "secret",
		HttpOnly: true,
	}
	http.SetCookie(w, &c) // GOOD: The HttpOnly flag is set to true.
}

References

go/ql/src/Security/CWE-614/CookieWithoutSecure.qhelp

Cookie 'Secure' attribute is not set to true

Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS. This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.

Recommendation

Set the Secure flag to true to ensure cookies are only transmitted over secure HTTPS connections.

Example

In the following example, in the case marked BAD, the Secure flag is set to false by default. In the case marked GOOD, the Secure flag is set to true.

package main

import (
	"net/http"
)

func handlerBad(w http.ResponseWriter, r *http.Request) {
	c := http.Cookie{
		Name:  "session",
		Value: "secret",
	}
	http.SetCookie(w, &c) // BAD: The Secure flag is set to false by default.
}

func handlerGood(w http.ResponseWriter, r *http.Request) {
	c := http.Cookie{
		Name:   "session",
		Value:  "secret",
		Secure: true,
	}
	http.SetCookie(w, &c) // GOOD: The Secure flag is set to true.
}

References

@joefarebrother joefarebrother marked this pull request as ready for review November 10, 2025 10:35
@joefarebrother joefarebrother requested a review from a team as a code owner November 10, 2025 10:35
Copilot AI review requested due to automatic review settings November 10, 2025 10:35
Copilot AI reviewed Nov 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR promotes an experimental query for detecting cookies without the HttpOnly flag and introduces a new query for detecting cookies without the Secure flag. The changes include:

  • Migration of the CookieWithoutHttpOnly query from experimental to the main security query pack
  • Introduction of a new CookieWithoutSecure query
  • New shared library code (SecureCookies.qll) for modeling HTTP cookie security attributes
  • Updates to framework models for net/http and gin-gonic/gin

Reviewed Changes

Copilot reviewed 31 out of 42 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql New query for detecting cookies without HttpOnly flag
go/ql/src/Security/CWE-614/CookieWithoutSecure.ql New query for detecting cookies without Secure flag
go/ql/lib/semmle/go/security/SecureCookies.qll Shared library for cookie security analysis
go/ql/lib/semmle/go/concepts/HTTP.qll Added CookieWrite and CookieOptions concepts
go/ql/lib/semmle/go/frameworks/NetHttp.qll Added cookie write models for net/http
go/ql/lib/semmle/go/frameworks/Gin.qll New framework models for gin-gonic/gin
go/ql/src/change-notes/2025-11-10-inseucre-cookie.md Change notes documenting the updates
go/ql/src/experimental/CWE-1004/* Removed experimental query files
go/ql/test/query-tests/Security/CWE-614/* Test files for CookieWithoutSecure
go/ql/test/query-tests/Security/CWE-1004/* Test files for CookieWithoutHttpOnly

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joefarebrother