JS: recognize CSRF middleware from lusca package

2026-05-03 04:39:29 +02:00 · 2018-09-21 13:15:17 +01:00
parent 69962bd06c
commit 5f467d2fc5
3 changed files with 43 additions and 4 deletions
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -38,12 +38,15 @@ predicate hasCookieMiddleware(Express::RouteHandlerExpr expr, Express::RouteHand
 *   // protected from CSRF
 * })
 * ```
- *
- * Currently the predicate only detects `csurf`-based protectors.
 */
 DataFlow::CallNode csrfMiddlewareCreation() {
-  exists (DataFlow::ModuleImportNode mod | result = mod.getACall() |
-    mod.getPath() = "csurf"
+  exists (DataFlow::SourceNode callee | result = callee.getACall() |
+    callee = DataFlow::moduleImport("csurf")
+    or
+    callee = DataFlow::moduleImport("lusca") and
+    result.getOptionArgument(0, "csrf").analyze().getABooleanValue() = true // any truthy value will enable CSRF
+    or
+    callee = DataFlow::moduleMember("lusca", "csrf")
  )
 }

--- a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
@@ -1,3 +1,6 @@
 | MissingCsrfMiddlewareBad.js:7:9:7:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | MissingCsrfMiddlewareBad.js:10:26:11:1 | functio ... es) {\\n} | here |
 | csurf_api_example.js:39:37:39:50 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_api_example.js:39:53:41:3 | functio ... e')\\n  } | here |
 | csurf_example.js:18:9:18:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_example.js:29:40:31:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:23:42:25:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:27:55:29:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:31:40:33:1 | functio ... sed')\\n} | here |
--- a/javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js
@@ -0,0 +1,33 @@
+var express = require('express')
+var cookieParser = require('cookie-parser')
+var bodyParser = require('body-parser')
+
+var parseForm = bodyParser.urlencoded({ extended: false })
+var lusca = require('lusca');
+
+var app = express()
+app.use(cookieParser())
+
+app.post('/process', parseForm, lusca.csrf(), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf:true}), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf:{}}), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca(), function (req, res) { // NOT OK - missing csrf option
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf: false}), function (req, res) { // NOT OK - csrf disabled
+  res.send('data is being processed')
+})
+
+app.post('/process_unsafe', parseForm, function (req, res) { // NOT OK
+  res.send('data is being processed')
+})