ajinabraham.njsscan.header_cookie.cookie_session_no_maxage

ajinabraham

Author

1,129

Download Count*

GPLv3

License

Session middleware settings: maxAge not set. Use it to set expiration date for cookies.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: cookie_session_no_maxage
    patterns:
      - pattern-either:
          - pattern-inside: |
              $SESSION = require('cookie-session')
              ...
          - pattern-inside: |
              $SESSION = require('express-session')
              ...
      - pattern: $SESSION(...)
      - pattern-not-inside: $SESSION(<... {cookie:{maxAge:...}} ...>,...)
      - pattern-not-inside: |
          $OPTS = <... {cookie:{maxAge:...}} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE = <... {maxAge:...} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie = <... {maxAge:...} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE.maxAge = ...;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |-
          $OPTS = ...;
          ...
          $OPTS.cookie.maxAge = ...;
          ...
          $SESSION($OPTS,...)
    message: "Session middleware settings: `maxAge` not set. Use it to set
      expiration date for cookies."
    severity: INFO
    languages:
      - javascript
    metadata:
      cwe: cwe-613
      owasp-web: a2
      license: LGPL-3.0-or-later

Short Link: https://sg.run/gL2K