javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
semgrep
Author
unknown
Download Count*
License
A CSRF middleware was not detected in your express application. Ensure you are either using one such as csurf
or csrf
(see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.
Run Locally
Run in CI
Defintion
rules:
- id: express-check-csurf-middleware-usage
message: A CSRF middleware was not detected in your express application. Ensure
you are either using one such as `csurf` or `csrf` (see rule references)
and/or you are properly doing CSRF validation in your routes with a token
or cookies.
metadata:
category: security
references:
- https://www.npmjs.com/package/csurf
- https://www.npmjs.com/package/csrf
- https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
cwe:
- "CWE-352: Cross-Site Request Forgery (CSRF)"
owasp:
- A01:2021 - Broken Access Control
technology:
- javascript
- typescript
- express
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site Request Forgery (CSRF)
languages:
- javascript
- typescript
severity: INFO
patterns:
- pattern-inside: |
$EXPRESS = require('express')
...
- pattern-not-inside: |
import {$CSRF} from 'csurf'
...
- pattern-not-inside: |
require('csurf')
...
- pattern-not-inside: |
import {$CSRF} from 'csrf'
...
- pattern-not-inside: |
require('csrf')
...
- pattern: |
$APP = $EXPRESS()
Examples
express-check-csurf-middleware-usage.js
var cookieParser = require('cookie-parser') //for cookie parsing
// var csrf = require('csurf') //csrf module
var bodyParser = require('body-parser') //for body parsing
var express = require('express')
// setup route middlewares
var csrfProtection = csrf({
cookie: true
})
var parseForm = bodyParser.urlencoded({
extended: false
})
// ruleid: express-check-csurf-middleware-usage
var app = express()
// parse cookies
app.use(cookieParser())
app.get('/form', csrfProtection, function(req, res) {
// generate and pass the csrfToken to the view
res.render('send', {
csrfToken: req.csrfToken()
})
})
app.post('/process', parseForm, csrfProtection, function(req, res) {
res.send('data is being processed')
})
app.post('/bad', parseForm, function(req, res) {
res.send('data is being processed')
})
Short Link: https://sg.run/BxzR