hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
4c5ecb409337e3c828c37930c86112ac69ae5983
codeql/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood2.js
Erik Krogh Kristensen ce95676130 add express.csrf as an CSRF protecting middleware
2020-10-19 15:39:02 +02:00

92 lines
2.3 KiB
JavaScript
Raw Blame History

var express = require('express');
var cookieParser = require('cookie-parser');
var passport = require('passport');
(function () {
var app = express()
app.use(cookieParser())
app.use(passport.authorize({ session: true }))
function getCsrfToken(request) {
return request.headers['x-xsrf-token'];
}
function setCsrfToken(request, response, next) {
response.cookie('XSRF-TOKEN', request.csrfToken());
next();
}
const csrf = {
getCsrfToken: getCsrfToken,
setCsrfToken: setCsrfToken
};
app.use(express.csrf({ value: csrf.getCsrfToken }));
app.use(csrf.setCsrfToken);
app.post('/changeEmail', function (req, res) {
let newEmail = req.cookies["newEmail"];
})
});
(function () {
var app = express()
app.use(cookieParser())
app.use(passport.authorize({ session: true }))
var crypto = require('crypto');
var generateToken = function (len) {
return crypto.randomBytes(Math.ceil(len * 3 / 4))
.toString('base64')
.slice(0, len);
};
function defaultValue(req) {
return (req.body && req.body._csrf)
|| (req.query && req.query._csrf)
|| (req.headers['x-csrf-token']);
}
var checkToken = function (req, res, next) {
var token = req.session._csrf || (req.session._csrf = generateToken(24));
if ('GET' == req.method || 'HEAD' == req.method || 'OPTIONS' == req.method) return next();
var val = defaultValue(req);
if (val != token) return next(function () {
res.send({ auth: false });
});
next();
}
const csrf = {
check: checkToken
};
app.use(express.cookieParser());
app.use(express.session({ secret: 'thomasdavislovessalmon' }));
app.use(express.bodyParser());
app.use(csrf.check);
app.post('/changeEmail', function (req, res) {
let newEmail = req.cookies["newEmail"];
})
});
(function () {
var app = express()
app.use(cookieParser())
app.use(passport.authorize({ session: true }))
// Assume token is being set somewhere
app.use(express.csrf({ value: function (request) {
return request.headers['x-xsrf-token'];
}}));
app.post('/changeEmail', function (req, res) {
let newEmail = req.cookies["newEmail"];
})
});
Reference in New Issue View Git Blame Copy Permalink