ajinabraham.njsscan.header_cookie.cookie_session_no_domain

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

Default session middleware settings: domain not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: cookie_session_no_domain
    patterns:
      - pattern-either:
          - pattern-inside: |
              $SESSION = require('cookie-session')
              ...
          - pattern-inside: |
              $SESSION = require('express-session')
              ...
      - pattern: $SESSION(...)
      - pattern-not-inside: $SESSION(<... {cookie:{domain:...}} ...>,...)
      - pattern-not-inside: |
          $OPTS = <... {cookie:{domain:...}} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE = <... {domain:...} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie = <... {domain:...} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE.domain = ...;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie.domain = ...;
          ...
          $SESSION($OPTS,...)
    message: "Default session middleware settings: `domain` not set. It indicates
      the domain of the cookie; use it to compare against the domain of the
      server in which the URL is being requested. If they match, then check the
      path attribute next."
    severity: INFO
    languages:
      - javascript
    metadata:
      cwe: cwe-522
      owasp-web: a2
      license: LGPL-3.0-or-later