hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4521 from erik-krogh/moreMiddle

Browse Source 
Approved by asgerf
This commit is contained in:
CodeQL CI
2020-10-20 07:14:14 -07:00
committed by GitHub
parent 17155b64f5 e061c6a006
commit 7ea8652f49
2 changed files with 41 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
View File

@@ -100,18 +100,21 @@ DataFlow::CallNode csrfMiddlewareCreation() {
}
/**
* Gets a data flow node that flows to the base of a write to `cookies`, `session`, or `user`,
* where the written property has `csrf` or `xsrf` in its name.
* Gets a data flow node that flows to the base of a reference to `cookies`, `session`, or `user`,
* where the references property has `csrf` or `xsrf` in its name,
* and a property is either written or part of a comparison.
*/
private DataFlow::SourceNode nodeLeadingToCsrfWrite(DataFlow::TypeBackTracker t) {
private DataFlow::SourceNode nodeLeadingToCsrfWriteOrCheck(DataFlow::TypeBackTracker t) {
t.start() and
result
.getAPropertyRead(cookieProperty())
.getAPropertyWrite()
.getPropertyName()
.regexpMatch("(?i).*(csrf|xsrf).*")
exists(DataFlow::PropRef ref |
ref = result.getAPropertyRead(cookieProperty()).getAPropertyReference() and
ref.getPropertyName().regexpMatch("(?i).*(csrf|xsrf).*")
|
ref instanceof DataFlow::PropWrite or
ref.(DataFlow::PropRead).asExpr() = any(EqualityTest c).getAnOperand()
)
or
exists(DataFlow::TypeBackTracker t2 | result = nodeLeadingToCsrfWrite(t2).backtrack(t2, t))
exists(DataFlow::TypeBackTracker t2 | result = nodeLeadingToCsrfWriteOrCheck(t2).backtrack(t2, t))
}
/**
@@ -131,7 +134,7 @@ private Express::RouteHandler getAHandlerSettingCsrfCookie() {
*/
predicate isCsrfProtectionRouteHandler(Express::RouteHandler handler) {
DataFlow::parameterNode(handler.getRequestParameter()) =
nodeLeadingToCsrfWrite(DataFlow::TypeBackTracker::end())
nodeLeadingToCsrfWriteOrCheck(DataFlow::TypeBackTracker::end())
or
handler = getAHandlerSettingCsrfCookie()
}

29
javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood2.js
View File

@@ -89,4 +89,31 @@ var passport = require('passport');
app.post('/changeEmail', function (req, res) {
let newEmail = req.cookies["newEmail"];
})
});
});
(function () {
var app = express()
app.use(cookieParser())
app.use(passport.authorize({ session: true }))
function checkToken(req) {
if (req.headers.xsrfToken !== req.session.xsrfToken) {
throw new Error("Halt and catch fire!")
}
}
function setCsrfToken(req, response, next) {
req.session.xsrfToken = req.csrfToken();
next();
}
app.use(checkToken);
app.post('/changeEmail', function (req, res) {
let newEmail = req.cookies["newEmail"];
});
app.use(setCsrfToken); // There is nothing wrong with setting the token late, as long as it is checked early.
});