Title: [javascript] CWE-614: CodeQL query to detect if cookies are sent without the flag secure being set · Issue #169 · github/securitylab · GitHub
Open Graph Title: [javascript] CWE-614: CodeQL query to detect if cookies are sent without the flag secure being set · Issue #169 · github/securitylab
X Title: [javascript] CWE-614: CodeQL query to detect if cookies are sent without the flag secure being set · Issue #169 · github/securitylab
Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. There is no CVE for this. Report Failing to set the secure flag on a cookie can cause it to be sent ...
Open Graph Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. There is no CVE for this. Report Failing to set the secure f...
X Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. There is no CVE for this. Report Failing to set the secure f...
Opengraph URL: https://github.com/github/securitylab/issues/169
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[javascript] CWE-614: CodeQL query to detect if cookies are sent without the flag secure being set","articleBody":"## CVE ID(s)\r\n\r\n*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).*\r\n\r\n- There is no CVE for this.\r\n\r\n## Report\r\n\r\nFailing to set the secure flag on a cookie can cause it to be sent in clear text. This makes it easier for an attacker to intercept and read the cookie.\r\n\r\nQuery to detect if the `secure` flag is set to cookies is available in java query but it is not available in JavaScript query.\r\nThis query detects if cookies are sent without the flag secure being set or with the flag secure being set to false.\r\n\r\nLink to the merged PR: [PR github/codeql#3978](https://github.com/github/codeql/pull/3978)\r\n\r\n- [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*\r\n\r\n## Result(s)\r\n\r\nThe query was able to detect the following issues (now fixed):\r\n|Issue | Fix|\r\n|------|------|\r\n|[ibm-dotcom-library/packages/utilities/src/utilities/ipcinfoCookie/ipcinfoCookie.js#L59](https://github.com/carbon-design-system/ibm-dotcom-library/blob/1adcd87c468aee159c4961f76f9d6084b7ce3956/packages/utilities/src/utilities/ipcinfoCookie/ipcinfoCookie.js#L59)|[ibm-dotcom-library/packages/utilities/src/utilities/ipcinfoCookie/ipcinfoCookie.js#L72](https://github.com/carbon-design-system/ibm-dotcom-library/blob/master/packages/utilities/src/utilities/ipcinfoCookie/ipcinfoCookie.js#L72)|\r\n|[urly/server/routes/login.js#L32](https://github.com/nedzadalibegovic/urly/blob/aa99fde1528907764acedae06574ca3d333f3fb8/server/routes/login.js#L32)|[urly/server/routes/login.js#L54](https://github.com/nedzadalibegovic/urly/blob/master/server/routes/login.js#L54)|\r\n","author":{"url":"https://github.com/dellalibera","@type":"Person","name":"dellalibera"},"datePublished":"2020-08-29T09:31:16.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":6},"url":"https://github.com/169/securitylab/issues/169"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:9b2fd916-49ef-2b7e-984b-8a34725f5d81 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | B6F0:3B269:120C728:18F8574:6A4DE3A0 |
| html-safe-nonce | bae81f2ad88ff79697ce5ae85c95825e8b2b73bd26aab6612e9d2b20bd505ff6 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCNkYwOjNCMjY5OjEyMEM3Mjg6MThGODU3NDo2QTRERTNBMCIsInZpc2l0b3JfaWQiOiIyODY2ODkxNjg5NzcwNzM4NTkyIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | fef14483a2d6b01902f89abf93f65eaa02064b3f14271aa1040509b8ef781976 |
| hovercard-subject-tag | issue:688498054 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/github/securitylab/169/issue_layout |
| twitter:image | https://opengraph.githubassets.com/7021ced9d52ba605e8160b89d7cb07a3d743bf1bb17da451b2108d18ec205175/github/securitylab/issues/169 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/7021ced9d52ba605e8160b89d7cb07a3d743bf1bb17da451b2108d18ec205175/github/securitylab/issues/169 |
| og:image:alt | CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. There is no CVE for this. Report Failing to set the secure f... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | dellalibera |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/github/securitylab git https://github.com/github/securitylab.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 221101274 |
| octolytics-dimension-repository_nwo | github/securitylab |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 221101274 |
| octolytics-dimension-repository_network_root_nwo | github/securitylab |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width