javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override

Community Favorite
profile photo of semgrepsemgrep
Author
32,824
Download Count*
LGPL Commons Clause
License

Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: detect-no-csrf-before-method-override
    message: Detected use of express.csrf() middleware before
      express.methodOverride(). This can allow GET requests (which are not
      checked by csrf) to turn into POST requests later.
    metadata:
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-no-csrf-before-method-override.js
      references:
        - https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md
      category: security
      technology:
        - javascript
      owasp:
        - A01:2021 - Broken Access Control
        - A05:2017 - Broken Access Control
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)
    languages:
      - javascript
      - typescript
    severity: WARNING
    pattern: |
      express.csrf();
      ...
      express.methodOverride();

Examples

detect-no-csrf-before-method-override.js

function ok() {
    // ok:detect-no-csrf-before-method-override
    express.methodOverride()
    express.csrf()
}

function bad() {
    // ruleid:detect-no-csrf-before-method-override
    express.csrf()
    express.methodOverride()
}