JS: Recognize req.user a cookie access

2026-05-01 03:35:13 +02:00 · 2020-01-24 09:44:08 +00:00
parent a68bb9ffd1
commit b98db62e82
3 changed files with 16 additions and 4 deletions
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -12,16 +12,16 @@

 import javascript

-/** Gets the string `session` or `cookies`, the parts of `req` containing cookie data. */
-string sessionOrCookies() {
-  result = "session" or result = "cookies"
+/** Gets a property name of `req` which refers to data usually derived from cookie data. */
+string cookieProperty() {
+  result = "session" or result = "cookies" or result = "user"
 }

 /** Gets a data flow node that flows to the base of an access to `cookies` or `session`. */
 private DataFlow::SourceNode nodeLeadingToCookieAccess(DataFlow::TypeBackTracker t) {
  t.start() and
  exists(DataFlow::PropRead value |
-    value = result.getAPropertyRead(sessionOrCookies()).getAPropertyRead() and
+    value = result.getAPropertyRead(cookieProperty()).getAPropertyRead() and

    // Ignore accesses to values that are part of a CSRF or captcha check
    not value.getPropertyName().regexpMatch("(?i).*(csrf|xsrf|captcha).*") and
--- a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
@@ -4,3 +4,5 @@
 | lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:26:42:29:1 | functio ... sed')\\n} | here |
 | lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:31:40:34:1 | functio ... sed')\\n} | here |
 | unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:8:34:13:1 | (req, r ... Ok');\\n} | here |
+| unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:29:19:32:1 | (req, r ... Ok');\\n} | here |
+| unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:34:22:37:1 | (req, r ... Ok');\\n} | here |
--- a/javascript/ql/test/query-tests/Security/CWE-352/unused_cookies.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/unused_cookies.js
@@ -26,4 +26,14 @@ app.post('/doWithCaptcha', (req, res) => { // OK - attacker can't guess the capt
    res.end('Ok');
 });

+app.post('/user', (req, res) => { // NOT OK - access to req.user is unprotected
+    somethingElse(req.user.name);
+    res.end('Ok');
+});
+
+app.post('/session', (req, res) => { // NOT OK - access to req.session is unprotected
+    somethingElse(req.session.name);
+    res.end('Ok');
+});
+
 app.listen();