hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add qhelp

Browse Source
This commit is contained in:
Asger F
2022-06-27 16:14:30 +02:00
parent d92430b0e7
commit 17d139c87d
3 changed files with 69 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.qhelp Normal file
View File

@@ -0,0 +1,43 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Using a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware
when accessing an endpoint with a case-insensitive path.
</p>
</overview>
<recommendation>
<p>
When using a regular expression as a middlware path, make sure the regular expression is
case insensitive by adding the <code>i</code> flag.
</p>
</recommendation>
<example>
<p>
The following example restricts access to paths in the <code>/admin</code> path to users logged in as
an administrator:
</p>
<sample src="examples/CaseSensitiveMiddlewarePath.js" />
<p>
A path such as <code>/admin/users/45</code> can only be accessed by an administrator. However, the path
<code>/ADMIN/USERS/45</code> can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas
Express considers it to match the path string <code>/admin/users</code>.
</p>
<p>
The issue can be fixed by adding the <code>i</code> flag to the regular expression:
</p>
<sample src="examples/CaseSensitiveMiddlewarePathGood.js" />
</example>
<references>
<li>
MDN
<a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags">Regular Expression Flags</a>.
</li>
</references>
</qhelp>

13
javascript/ql/src/Security/CWE-178/examples/CaseSensitiveMiddlewarePath.js Normal file
View File

@@ -0,0 +1,13 @@
const app = require('express')();
app.use(/\/admin\/.*/, (req, res, next) => {
if (!req.user.isAdmin) {
res.status(401).send('Unauthorized');
} else {
next();
}
});
app.get('/admin/users/:id', (req, res) => {
res.send(app.database.users[req.params.id]);
});

13
javascript/ql/src/Security/CWE-178/examples/CaseSensitiveMiddlewarePathGood.js Normal file
View File

@@ -0,0 +1,13 @@
const app = require('express')();
app.use(/\/admin\/.*/i, (req, res, next) => {
if (!req.user.isAdmin) {
res.status(401).send('Unauthorized');
} else {
next();
}
});
app.get('/admin/users/:id', (req, res) => {
res.send(app.database.users[req.params.id]);
});