add express.csrf as an CSRF protecting middleware

erik-krogh · erik-krogh · commit ce956761307d · 2020-10-19T15:39:02.000+02:00
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -94,6 +94,8 @@ DataFlow::CallNode csrfMiddlewareCreation() {
     exists(result.getOptionArgument(0, "csrf"))
     or
     callee = DataFlow::moduleMember("lusca", "csrf")
+    or
+    callee = DataFlow::moduleMember("express", "csrf")
   )
 }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood2.js b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood2.js
@@ -73,3 +73,20 @@ var passport = require('passport');
         let newEmail = req.cookies["newEmail"];
     })
 });
+
+(function () {
+
+    var app = express()
+
+    app.use(cookieParser())
+    app.use(passport.authorize({ session: true }))
+
+    // Assume token is being set somewhere
+    app.use(express.csrf({ value: function (request) {
+        return request.headers['x-xsrf-token'];
+    }}));
+
+    app.post('/changeEmail', function (req, res) {
+        let newEmail = req.cookies["newEmail"];
+    })
+});

Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,8 @@ DataFlow::CallNode csrfMiddlewareCreation() {`
`94`	`94`	`exists(result.getOptionArgument(0, "csrf"))`
`95`	`95`	`or`
`96`	`96`	`callee = DataFlow::moduleMember("lusca", "csrf")`
	`97`	`+ or`
	`98`	`+ callee = DataFlow::moduleMember("express", "csrf")`
`97`	`99`	`)`
`98`	`100`	`}`
`99`	`101`