hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Insecure Helmet middle configuration - frameguard or CSP to 'false'

Browse Source
This commit is contained in:
aegilops
2024-05-20 11:58:55 +01:00
parent 8e251ee54f
commit 3a885eaf9f
2 changed files with 107 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp Normal file
View File

@@ -0,0 +1,71 @@
<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
<qhelp>
<overview>
<p>
<a href="https://helmetjs.github.io/">Helmet</a> is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities.
This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:
<ul>
<li>Disabling frame protection</li>
<li>Disabling Content Security Policy</li>
</ul>
Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS).
Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.
</p>
</overview>
<recommendation>
<p>
To help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:
<ul>
<li><code>frameguard</code></li>
<li><code>contentSecurityPolicy</code></li>
</ul>
</p>
</recommendation>
<example>
<p>
The following code snippet demonstrates Helmet configured in an insecure manner:
<code class="language-javascript">
const helmet = require('helmet');
app.use(helmet({
frameguard: false,
contentSecurityPolicy: false
}));
</code>
</p>
<p>
In this example, the defaults are used, which enables frame protection and a default Content Security Policy.
<code class="language-javascript">
app.use(helmet());
</code>
You can also enable a custom Content Security Policy by passing an object to the <code>contentSecurityPolicy</code> key. For example, taken from the <a href="https://helmetjs.github.io/#content-security-policy">Helmet docs:
<code class="language-javascript">
app.use(
helmet({
contentSecurityPolicy: {
directives: {
"script-src": ["'self'", "example.com"],
"style-src": null,
},
},
})
);
<code>
<p>
</p>
</example>
<references>
<ul>
<li>
<a href="https://helmetjs.github.io/">helmet.js website</a>
</li>
</ul>
</references>
</qhelp>

36
javascript/ql/src/Security/CWE-693/InsecureHelmet.ql Normal file
View File

@@ -0,0 +1,36 @@
/**
* @name Insecure configuration of Helmet security middleware
* @description The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.
* @kind problem
* @problem.severity error
* @security-severity 5.0
* @precision high
* @id javascript/insecure-helmet-configuration
* @tags security
* cwe-693
* cwe-1021
*/
import semmle.javascript.frameworks.ExpressModules
class HelmetProperty extends Property {
HelmetProperty() {
exists(ExpressLibraries::HelmetRouteHandler helmet |
helmet.(DataFlow::CallNode).getAnArgument().asExpr().(ObjectExpr).getAProperty() = this
)
}
predicate isFalse() { this.getInit().(BooleanLiteral).getBoolValue() = false }
predicate isImportantSecuritySetting() {
this.getName() in ["frameguard", "contentSecurityPolicy"]
// read from data extensions to allow enforcing other settings
// TODO
}
}
from HelmetProperty helmetSetting
where
helmetSetting.isFalse() and
helmetSetting.isImportantSecuritySetting()
select helmetSetting, "Helmet route handler, called with $@ set to 'false'", helmetSetting, helmetSetting.getName()