User-provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing cookies directly from tainted data
enables attackers to set the session identifier to a known value, allowing the attacker to share the session with the victim. Successful attacks might
result in unauthorized access to sensitive information, for example if the session identifier is not regenerated when the victim authenticates.
Typically, the solution to prevent this type of attack is to restrict the cookies that can be influenced with an allow-list.
Noncompliant Code Example
module.exports.index = async function (req, res) {
const value = req.query.value;
res.setHeader("Set-Cookie", value); // Noncompliant
res.cookie("connect.sid", value); // Noncompliant
};
Compliant Solution
module.exports.index = async function (req, res) {
const value = req.query.value;
res.setHeader("X-Data", value);
res.cookie("data", value);
};
See