JS: Replace csurf -> lusca.csrf from example and qhelp

2026-04-25 16:55:19 +02:00 · 2022-12-14 12:23:47 +01:00
parent a6d227d52e
commit 162419138d
3 changed files with 25 additions and 14 deletions
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
@@ -25,7 +25,7 @@
 <recommendation>
 	<p>

-		Use a middleware package such as <code>csurf</code> to protect against CSRF attacks.
+		Use a middleware package such as <code>lusca.csrf</code> to protect against CSRF attacks.

 	</p>
 </recommendation>
@@ -58,6 +58,6 @@

 <references>
 	<li>OWASP: <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a></li>
-	<li>NPM: <a href="https://www.npmjs.com/package/csurf">csurf</a></li>
+	<li>NPM: <a href="https://www.npmjs.com/package/lusca">lusca</a></li>
 </references>
 </qhelp>
--- a/javascript/ql/src/Security/CWE-352/examples/MissingCsrfMiddlewareBad.js
+++ b/javascript/ql/src/Security/CWE-352/examples/MissingCsrfMiddlewareBad.js
@@ -1,11 +1,16 @@
-var app = require("express")(),
+const app = require("express")(),
  cookieParser = require("cookie-parser"),
-  passport = require("passport");
+  bodyParser = require("body-parser"),
+  session = require("express-session");

 app.use(cookieParser());
-app.use(passport.authorize({ session: true }));
+app.use(bodyParser.urlencoded({ extended: false }));
+app.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));
+
+// ...

 app.post("/changeEmail", function(req, res) {
-  let newEmail = req.cookies["newEmail"];
-  // ...
+  const userId = req.session.id;
+  const email = req.body["email"];
+  // ... update email associated with userId
 });
--- a/javascript/ql/src/Security/CWE-352/examples/MissingCsrfMiddlewareGood.js
+++ b/javascript/ql/src/Security/CWE-352/examples/MissingCsrfMiddlewareGood.js
@@ -1,12 +1,18 @@
-var app = require("express")(),
+const app = require("express")(),
  cookieParser = require("cookie-parser"),
-  passport = require("passport"),
-  csrf = require("csurf");
+  bodyParser = require("body-parser"),
+  session = require("express-session"),
+  csrf = require('lusca').csrf;

 app.use(cookieParser());
-app.use(passport.authorize({ session: true }));
-app.use(csrf({ cookie: true }));
+app.use(bodyParser.urlencoded({ extended: false }));
+app.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));
+app.use(csrf());
+
+// ...
+
 app.post("/changeEmail", function(req, res) {
-  let newEmail = req.cookies["newEmail"];
-  // ...
+  const userId = req.session.id;
+  const email = req.body["email"];
+  // ... update email associated with userId
 });