JS: Instantiate for Fastify

2026-05-02 12:15:17 +02:00 · 2021-10-07 12:14:17 +02:00
parent cfb9265f0a
commit 71820569e1
3 changed files with 151 additions and 10 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-352/fastify.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/fastify.js
@@ -0,0 +1,34 @@
+const fastify = require('fastify')
+
+const app = fastify();
+
+app.register(require('fastify-cookie'));
+app.register(require('fastify-csrf'));
+
+app.route({
+  method: 'GET',
+  path: '/getter',
+  handler: async (req, reply) => { // OK
+    return 'hello';
+  }
+})
+
+// unprotected route
+app.route({
+  method: 'POST',
+  path: '/',
+  handler: async (req, reply) => { // NOT OK - lacks CSRF protection
+    req.session.blah;
+    return req.body
+  }
+})
+
+
+app.route({
+  method: 'POST',
+  path: '/',
+  onRequest: app.csrfProtection,
+  handler: async (req, reply) => { // OK - has CSRF protection
+    return req.body
+  }
+})