ajinabraham.njsscan.header_cookie.cookie_session_no_path

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

Default session middleware settings: path not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: cookie_session_no_path
    patterns:
      - pattern-either:
          - pattern-inside: |
              $SESSION = require('cookie-session')
              ...
          - pattern-inside: |
              $SESSION = require('express-session')
              ...
      - pattern: $SESSION(...)
      - pattern-not-inside: $SESSION(<... {cookie:{path:...}} ...>,...)
      - pattern-not-inside: |
          $OPTS = <... {cookie:{path:...}} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE = <... {path:...} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie = <... {path:...} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE.path = ...;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie.path = ...;
          ...
          $SESSION($OPTS,...)
    message: "Default session middleware settings: `path` not set. It indicates the
      path of the cookie; use it to compare against the request path. If this
      and domain match, then send the cookie in the request."
    severity: INFO
    languages:
      - javascript
    metadata:
      cwe: cwe-522
      owasp-web: a2
      license: LGPL-3.0-or-later