Added data extension to set defaults, updated help, added README to explain customization

2026-04-29 18:55:14 +02:00 · 2024-06-19 17:27:17 +01:00
parent 3a98edb60b
commit 252c9e9416
4 changed files with 54 additions and 27 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml
+++ b/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-queries
+      extensible: requiredHelmetSecuritySetting
+    data:
+      - ["frameguard"]
+      - ["contentSecurityPolicy"]
--- a/javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp
+++ b/javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp
@@ -22,14 +22,12 @@
            Users of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL <a href="https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/">data extensions</a>.
        </p>

-        <pre>
-extensions:
- addsTo:
-    pack: codeql/javascript-all
-    extensible: requiredHelmetSecuritySetting
+        <pre>extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: requiredHelmetSecuritySetting
 data:
-    - name: "frameguard"
-        </pre>
+    - ["frameguard"]</pre>

        <p>
            Note: <code>frameguard</code> is an example: the query already enforces this setting, so it is not necessary to add it to the data extension. 
--- a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
+++ b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -11,6 +11,8 @@
 *        cwe-1021
 */

+import javascript
+import DataFlow
 import semmle.javascript.frameworks.ExpressModules

 class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
@@ -22,33 +24,17 @@ class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {

  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }

-  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(true) }
+  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }

  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }

  predicate isImportantSecuritySetting() {
-    this.getName() in ["frameguard", "contentSecurityPolicy"]
-    or
-    // read from data extensions to allow enforcing other settings
+    // read from data extensions to allow enforcing custom settings
+    // defaults are located in javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml
    requiredHelmetSecuritySetting(this.getName())
  }
 }

-/*
- * Extend the required Helmet security settings using data extensions.
- * Docs: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/
- * For example:
- *
- * extensions:
- *  - addsTo:
- *      pack: codeql/javascript-all
- *      extensible: requiredHelmetSecuritySetting
- *    data:
- *      - name: "frameguard"
- *
- * Note: `frameguard` is an example: the query already enforces this setting, so it is not necessary to add it to the data extension.
- */
-
 extensible predicate requiredHelmetSecuritySetting(string name);

 from HelmetProperty helmetProperty, ExpressLibraries::HelmetRouteHandler helmet
@@ -56,5 +42,5 @@ where
  helmetProperty.isFalse() and
  helmetProperty.isImportantSecuritySetting() and
  helmetProperty.getHelmet() = helmet
-select helmet, "Helmet route handler, called with $@ set to 'false'.", helmetProperty,
+select helmet, "Helmet security middleware, configured with security setting $@ set to 'false', which disables enforcing that feature.", helmetProperty,
  helmetProperty.getName()
--- a/javascript/ql/src/Security/CWE-693/README.md
+++ b/javascript/ql/src/Security/CWE-693/README.md
@@ -0,0 +1,36 @@
+# Insecure Helmet Configuration - customizations
+
+You can extend the required [Helmet security settings](https://helmetjs.github.io/) using [data extensions](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).
+
+They are defaulted to just `frameguard` and `contentSecurityPolicy`, but you can add more using this method, to require them not to be set to `false` (which explicitly disables them) in the Helmet configuration.
+
+For example, this YAML model can be used inside a CodeQL model pack to require `frameguard` and `contentSecurityPolicy`:
+
+```yaml
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: requiredHelmetSecuritySetting
+    data:
+      - ["frameguard"]
+      - ["contentSecurityPolicy"]
+```
+
+Note: Using `frameguard` and `contentSecurityPolicy` is an example: the query already enforces these, so it is not necessary to add it with your own data extension.
+
+A suitable model pack might be:
+
+```yaml
+name: my-org/javascript-helmet-insecure-config-model-pack
+version: 1.0.0
+extensionTargets:
+  codeql/java-all: '*'
+dataExtensions:
+  - models/**/*.yml
+```
+
+## References
+
+- [Helmet security settings](https://helmetjs.github.io/)
+- [Customizing library models for javascript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/)
+- [Creating and working with CodeQL packs](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack)