gitlab.eslint.detect-no-csrf-before-method-override
178
Download Count*
License
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
Run Locally
Run in CI
Defintion
rules:
- id: eslint.detect-no-csrf-before-method-override
metadata:
cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-no-csrf-before-method-override.js
references:
- https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md
primary_identifier: eslint.detect-no-csrf-before-method-override
secondary_identifiers:
- name: ESLint rule ID security/detect-no-csrf-before-method-override
type: eslint_rule_id
value: security/detect-no-csrf-before-method-override
license: MIT
message: >
Detected use of express.csrf() middleware before express.methodOverride().
This can
allow GET requests (which are not checked by csrf) to turn into POST requests later.
pattern: |
express.csrf();
...
express.methodOverride();
severity: WARNING
languages:
- javascript
- typescript
Short Link: https://sg.run/4PPg