ajinabraham.njsscan.header_cookie.cookie_session_no_samesite

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

Default session middleware settings: sameSite attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: cookie_session_no_samesite
    patterns:
      - pattern-either:
          - pattern-inside: |
              $SESSION = require('cookie-session')
              ...
          - pattern-inside: |
              $SESSION = require('express-session')
              ...
      - pattern: $SESSION(...)
      - pattern-not-inside: $SESSION(<... {cookie:{sameSite:true}} ...>,...)
      - pattern-not-inside: $SESSION(<... {cookie:{sameSite:'lax'}} ...>,...)
      - pattern-not-inside: $SESSION(<... {cookie:{sameSite:'strict'}} ...>,...)
      - pattern-not-inside: |
          $OPTS = <... {cookie:{sameSite:true}} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE = <... {sameSite:true} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie = <... {sameSite:true} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE.sameSite = true;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie.sameSite = true;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = <... {cookie:{sameSite:'strict'}} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE = <... {sameSite:'strict'} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie = <... {sameSite:'strict'} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE.sameSite = 'strict';
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie.sameSite = 'strict';
          ...
          $SESSION($OPTS,...)
    message: "Default session middleware settings: `sameSite` attribute is not
      configured to strict or lax. These configurations provides protection
      against Cross Site Request Forgery attacks."
    severity: WARNING
    languages:
      - javascript
    metadata:
      cwe: cwe-1275
      owasp-web: a2
      license: LGPL-3.0-or-later