javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

By letting user input control X-Frame-Options header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an iframe.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: x-frame-options-misconfiguration
    message: By letting user input control `X-Frame-Options` header, there is a risk
      that software does not properly verify whether or not a browser should be
      allowed to render a page in an `iframe`.
    metadata:
      references:
        - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
      owasp:
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-451: User Interface (UI) Misrepresentation of Critical
          Information"
      category: security
      technology:
        - express
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    languages:
      - javascript
      - typescript
    severity: WARNING
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern-inside: function ... ($REQ, $RES) {...}
              - pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
              - patterns:
                  - pattern-either:
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
                  - metavariable-regex:
                      metavariable: $METHOD
                      regex: ^(get|post|put|head|delete|options)$
          - pattern-either:
              - pattern: $REQ.query
              - pattern: $REQ.body
              - pattern: $REQ.params
              - pattern: $REQ.cookies
              - pattern: $REQ.headers
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
                  {...}
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response) => {...}
          - focus-metavariable: $REQ
          - pattern-either:
              - pattern: params
              - pattern: query
              - pattern: cookies
              - pattern: headers
              - pattern: body
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern: $RES.set($HEADER, ...)
              - pattern: $RES.header($HEADER, ...)
              - pattern: $RES.setHeader($HEADER, ...)
              - pattern: |
                  $RES.set({$HEADER: ...}, ...)
              - pattern: |
                  $RES.writeHead($STATUS, {$HEADER: ...}, ...)
          - metavariable-regex:
              metavariable: $HEADER
              regex: .*(X-Frame-Options|x-frame-options).*

Examples

x-frame-options-misconfiguration.js

var express = require('express'),
    app = express();

app.get('/', function (req, res) {
    // ruleid: x-frame-options-misconfiguration
    res.set('X-Frame-Options', req.query.opts)
    res.send('ok')
})

app.get('/', function (req, res) {
    // ok: x-frame-options-misconfiguration
    res.set('X-Frame-Options', 'SAMEORIGIN')
    res.send('ok')
})