javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override
Community Favorite
semgrep
Author
32,824
Download Count*
License
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
Run Locally
Run in CI
Defintion
rules:
- id: detect-no-csrf-before-method-override
message: Detected use of express.csrf() middleware before
express.methodOverride(). This can allow GET requests (which are not
checked by csrf) to turn into POST requests later.
metadata:
cwe:
- "CWE-352: Cross-Site Request Forgery (CSRF)"
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-no-csrf-before-method-override.js
references:
- https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md
category: security
technology:
- javascript
owasp:
- A01:2021 - Broken Access Control
- A05:2017 - Broken Access Control
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site Request Forgery (CSRF)
languages:
- javascript
- typescript
severity: WARNING
pattern: |
express.csrf();
...
express.methodOverride();
Examples
detect-no-csrf-before-method-override.js
function ok() {
// ok:detect-no-csrf-before-method-override
express.methodOverride()
express.csrf()
}
function bad() {
// ruleid:detect-no-csrf-before-method-override
express.csrf()
express.methodOverride()
}
Short Link: https://sg.run/oxoX