Merge pull request #216 from asger-semmle/lusca-csrf

semmle-qlci · web-flow · commit 7f56be6fe23f · 2018-09-24T11:34:24.000+01:00
Approved by esben-semmle
diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md
@@ -22,5 +22,6 @@
 | Regular expression injection | Fewer false-positive results | This rule now identifies calls to `String.prototype.search` with more precision. |
 | Unbound event handler receiver | Fewer false-positive results | This rule now recognizes additional ways class methods can be bound. |
 | Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. |
+| Missing CSRF middleware | Fewer false-positive results | This rule now recognizes additional CSRF protection middlewares. |
 
 ## Changes to QL libraries
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -38,12 +38,15 @@ predicate hasCookieMiddleware(Express::RouteHandlerExpr expr, Express::RouteHand
  *   // protected from CSRF
  * })
  * ```
- *
- * Currently the predicate only detects `csurf`-based protectors.
  */
 DataFlow::CallNode csrfMiddlewareCreation() {
-  exists (DataFlow::ModuleImportNode mod | result = mod.getACall() |
-    mod.getPath() = "csurf"
+  exists (DataFlow::SourceNode callee | result = callee.getACall() |
+    callee = DataFlow::moduleImport("csurf")
+    or
+    callee = DataFlow::moduleImport("lusca") and
+    exists(result.getOptionArgument(0, "csrf"))
+    or
+    callee = DataFlow::moduleMember("lusca", "csrf")
   )
 }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
@@ -1,3 +1,5 @@
 | MissingCsrfMiddlewareBad.js:7:9:7:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | MissingCsrfMiddlewareBad.js:10:26:11:1 | functio ... es) {\\n} | here |
 | csurf_api_example.js:39:37:39:50 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_api_example.js:39:53:41:3 | functio ... e')\\n  } | here |
 | csurf_example.js:18:9:18:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_example.js:29:40:31:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:23:42:25:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:27:40:29:1 | functio ... sed')\\n} | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js b/javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js
@@ -0,0 +1,29 @@
+var express = require('express')
+var cookieParser = require('cookie-parser')
+var bodyParser = require('body-parser')
+
+var parseForm = bodyParser.urlencoded({ extended: false })
+var lusca = require('lusca');
+
+var app = express()
+app.use(cookieParser())
+
+app.post('/process', parseForm, lusca.csrf(), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf:true}), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf:{}}), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca(), function (req, res) { // NOT OK - missing csrf option
+  res.send('data is being processed')
+})
+
+app.post('/process_unsafe', parseForm, function (req, res) { // NOT OK
+  res.send('data is being processed')
+})
