remove support for passport in the session-fixation query

2026-04-30 19:26:02 +02:00 · 2022-05-23 09:19:12 +02:00
parent 63f5a86699
commit 7a3bbede1b
3 changed files with 3 additions and 6 deletions
--- a/javascript/ql/src/Security/CWE-384/SessionFixation.ql
+++ b/javascript/ql/src/Security/CWE-384/SessionFixation.ql
@@ -19,7 +19,7 @@ import javascript
 */
 pragma[inline]
 predicate isLoginSetup(Express::RouteSetup setup) {
-  // either some path that contains "login" with a write to `req.session`
+  // some path that contains "login" with a write to `req.session`
  setup.getPath().matches("%login%") and
  exists(
    setup
@@ -30,9 +30,7 @@ predicate isLoginSetup(Express::RouteSetup setup) {
        .getAPropertyRead("session")
        .getAPropertyWrite()
  )
-  or
-  // or an authentication method is used (e.g. `passport.authenticate`)
-  setup.getARouteHandler().(DataFlow::CallNode).getCalleeName() = "authenticate"
+  // passport used to be recognized, but they have since added build-in protection against session fixation
 }

 /**