Merge remote-tracking branch 'upstream/master' into exceptionFPs

2026-04-30 11:15:13 +02:00 · 2020-01-30 10:56:41 +01:00
parent 6494649125 c4d2163321
commit 7637ebcc03
663 changed files with 10821 additions and 3439 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
@@ -1,5 +1,8 @@
-| MissingCsrfMiddlewareBad.js:7:9:7:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | MissingCsrfMiddlewareBad.js:10:26:11:1 | functio ... es) {\\n} | here |
-| csurf_api_example.js:39:37:39:50 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_api_example.js:39:53:41:3 | functio ... e')\\n  } | here |
-| csurf_example.js:18:9:18:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_example.js:29:40:31:1 | functio ... sed')\\n} | here |
-| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:23:42:25:1 | functio ... sed')\\n} | here |
-| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:27:40:29:1 | functio ... sed')\\n} | here |
+| MissingCsrfMiddlewareBad.js:7:9:7:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | MissingCsrfMiddlewareBad.js:10:26:12:1 | functio ... il"];\\n} | here |
+| csurf_api_example.js:42:37:42:50 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_api_example.js:42:53:45:3 | functio ... e')\\n  } | here |
+| csurf_example.js:18:9:18:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_example.js:31:40:34:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:26:42:29:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:31:40:34:1 | functio ... sed')\\n} | here |
+| unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:8:34:13:1 | (req, r ... Ok');\\n} | here |
+| unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:29:19:32:1 | (req, r ... Ok');\\n} | here |
+| unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:34:22:37:1 | (req, r ... Ok');\\n} | here |
--- a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareBad.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareBad.js
@@ -8,4 +8,5 @@ app.use(cookieParser())
 app.use(passport.authorize({ session: true }))

 app.post('/changeEmail', function (req, res) {
+    let newEmail = req.cookies["newEmail"];
 })
--- a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood.js
@@ -10,4 +10,5 @@ app.use(passport.authorize({ session: true }))
 app.use(csrf({ cookie:true }))

 app.post('/changeEmail', function (req, res) {
+    let newEmail = req.cookies["newEmail"];
 })
--- a/javascript/ql/test/query-tests/Security/CWE-352/csurf_api_example.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/csurf_api_example.js
@@ -21,11 +21,13 @@ app.use(cookieParser())
 app.use(csrf({ cookie: true }))

 app.get('/form', function (req, res) {
+  let newEmail = req.cookies["newEmail"];
  // pass the csrfToken to the view
  res.render('send', { csrfToken: req.csrfToken() })
 })

 app.post('/process', function (req, res) { // OK
+  let newEmail = req.cookies["newEmail"];
  res.send('csrf was required to get here')
 })

@@ -33,10 +35,12 @@ function createApiRouter () {
  var router = new express.Router()

  router.post('/getProfile', function (req, res) { // OK - cookies are not parsed
+    let newEmail = req.cookies["newEmail"];
    res.send('no csrf to get here')
  })

  router.post('/getProfile_unsafe', cookieParser(), function (req, res) { // NOT OK - may use cookies
+    let newEmail = req.cookies["newEmail"];
    res.send('no csrf to get here')
  })

--- a/javascript/ql/test/query-tests/Security/CWE-352/csurf_example.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/csurf_example.js
@@ -18,14 +18,17 @@ var app = express()
 app.use(cookieParser())

 app.get('/form', csrfProtection, function (req, res) { // OK
+  let newEmail = req.cookies["newEmail"];
  // pass the csrfToken to the view
  res.render('send', { csrfToken: req.csrfToken() })
 })

 app.post('/process', parseForm, csrfProtection, function (req, res) { // OK
+  let newEmail = req.cookies["newEmail"];
  res.send('data is being processed')
 })

 app.post('/process_unsafe', parseForm, function (req, res) { // NOT OK
+  let newEmail = req.cookies["newEmail"];
  res.send('data is being processed')
 })
--- a/javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js
@@ -9,21 +9,26 @@ var app = express()
 app.use(cookieParser())

 app.post('/process', parseForm, lusca.csrf(), function (req, res) { // OK
+  let newEmail = req.cookies["newEmail"];
  res.send('data is being processed')
 })

 app.post('/process', parseForm, lusca({csrf:true}), function (req, res) { // OK
+  let newEmail = req.cookies["newEmail"];
  res.send('data is being processed')
 })

 app.post('/process', parseForm, lusca({csrf:{}}), function (req, res) { // OK
+  let newEmail = req.cookies["newEmail"];
  res.send('data is being processed')
 })

 app.post('/process', parseForm, lusca(), function (req, res) { // NOT OK - missing csrf option
+  let newEmail = req.cookies["newEmail"];
  res.send('data is being processed')
 })

 app.post('/process_unsafe', parseForm, function (req, res) { // NOT OK
+  let newEmail = req.cookies["newEmail"];
  res.send('data is being processed')
 })
--- a/javascript/ql/test/query-tests/Security/CWE-352/unused_cookies.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/unused_cookies.js
@@ -0,0 +1,39 @@
+let express = require('express');
+let cookieParser = require('cookie-parser');
+
+let app = express();
+
+app.use(cookieParser());
+
+app.post('/doSomethingTerrible', (req, res) => { // NOT OK - uses cookies
+    if (req.cookies['secret'] === app.secret) {
+        somethingTerrible();
+    }
+    res.end('Ok');
+});
+
+app.post('/doSomethingElse', (req, res) => { // OK - doesn't actually use cookies
+    somethingElse(req.query['data']);
+    res.end('Ok');
+});
+
+app.post('/doWithCaptcha', (req, res) => { // OK - attacker can't guess the captcha value either
+    if (req.session['captcha'] !== req.query['captcha']) {
+        res.end("You guessed wrong, that 'u' was actually a 'U'. Try again.");
+        return;
+    }
+    somethingElse(req.query['data']);
+    res.end('Ok');
+});
+
+app.post('/user', (req, res) => { // NOT OK - access to req.user is unprotected
+    somethingElse(req.user.name);
+    res.end('Ok');
+});
+
+app.post('/session', (req, res) => { // NOT OK - access to req.session is unprotected
+    somethingElse(req.session.name);
+    res.end('Ok');
+});
+
+app.listen();