Tainted data should never be used in a cookie sent via an HTTP response object. This exposes the application to session fixation attacks.
Any data coming from external sources could be used by a malicious user to hijack a valid session. To avoid this vulnerability, use some form of sanitization, or avoid using user data when setting cookies.
If you can guarantee that your code snippet is safe, add a skipcq comment to document the reason. This will also prevent DeepSource from raising this issue.
app.get("/resource", (req, res) => {
const cookieValue = "user-query:" + req.query;
res.setHeader("Set-Cookie", cookieValue);
});
app.get("/resource", (req, res) => {
const cookieValue = "user-query:" + req.query;
const safeCookieValue = sanitize(cookieValue);
res.setHeader("Set-Cookie", safeCookieValue);
});