javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

A CSRF middleware was not detected in your express application. Ensure you are either using one such as csurf or csrf (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: express-check-csurf-middleware-usage
    message: A CSRF middleware was not detected in your express application. Ensure
      you are either using one such as `csurf` or `csrf` (see rule references)
      and/or you are properly doing CSRF validation in your routes with a token
      or cookies.
    metadata:
      category: security
      references:
        - https://www.npmjs.com/package/csurf
        - https://www.npmjs.com/package/csrf
        - https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      owasp:
        - A01:2021 - Broken Access Control
      technology:
        - javascript
        - typescript
        - express
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)
    languages:
      - javascript
      - typescript
    severity: INFO
    patterns:
      - pattern-inside: |
          $EXPRESS = require('express')
          ...
      - pattern-not-inside: |
          import {$CSRF} from 'csurf'
          ...
      - pattern-not-inside: |
          require('csurf')
          ...
      - pattern-not-inside: |
          import {$CSRF} from 'csrf'
          ...
      - pattern-not-inside: |
          require('csrf')
          ...
      - pattern: |
          $APP = $EXPRESS()

Examples

express-check-csurf-middleware-usage.js

var cookieParser = require('cookie-parser') //for cookie parsing
// var csrf = require('csurf') //csrf module
var bodyParser = require('body-parser') //for body parsing

var express = require('express')

// setup route middlewares
var csrfProtection = csrf({
    cookie: true
})
var parseForm = bodyParser.urlencoded({
    extended: false
})

// ruleid: express-check-csurf-middleware-usage
var app = express()

// parse cookies
app.use(cookieParser())

app.get('/form', csrfProtection, function(req, res) {
    // generate and pass the csrfToken to the view
    res.render('send', {
        csrfToken: req.csrfToken()
    })
})

app.post('/process', parseForm, csrfProtection, function(req, res) {
    res.send('data is being processed')
})

app.post('/bad', parseForm, function(req, res) {
    res.send('data is being processed')
})