Added data extension to allow setting extra required Helmet features

2026-04-29 02:35:15 +02:00 · 2024-06-07 15:32:11 +01:00
parent 68e21a594a
commit f5d465f08a
2 changed files with 38 additions and 3 deletions
--- a/javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp
+++ b/javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp
@@ -2,7 +2,7 @@
 <qhelp>
    <overview>
        <p>
-            <a href="https://helmetjs.github.io/">Helmet</a> is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities.
+            <a href="https://helmetjs.github.io/">Helmet</a> is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities.<br>

            This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:
        </p>
@@ -13,10 +13,28 @@
        </ul>

        <p>
-            Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS).
+            Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS).<br>

            Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.
        </p>
+
+        <p>
+            Users of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL <a href="https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/">data extensions</a>.
+        </p>
+
+        <pre>
+        extensions:
+          - addsTo:
+              pack: codeql/javascript-all
+              extensible: requiredHelmetSecuritySetting
+            data:
+              - name: "frameguard"
+        </pre>
+
+        <p>
+            Note: <code>frameguard</code> is an example: the query already enforces this setting, so it is not necessary to add it to the data extension. 
+        </p>
+
    </overview>
    <recommendation>
        <p>
--- a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
+++ b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -27,10 +27,27 @@ class HelmetProperty extends Property {
  predicate isImportantSecuritySetting() {
    this.getName() in ["frameguard", "contentSecurityPolicy"]
    // read from data extensions to allow enforcing other settings
-    // TODO
+    or requiredHelmetSecuritySetting(this.getName())
  }
 }

+/*
+ * Extend the required Helmet security settings using data extensions.
+ * Docs: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/
+ * For example:
+
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: requiredHelmetSecuritySetting
+    data:
+      - name: "frameguard"
+
+ * Note: `frameguard` is an example: the query already enforces this setting, so it is not necessary to add it to the data extension. 
+
+ */
+extensible predicate requiredHelmetSecuritySetting(string name);
+
 from HelmetProperty helmetSetting, ExpressLibraries::HelmetRouteHandler helmet
 where
  helmetSetting.isFalse() and