JS: review comments

Author: asger-semmle

change-notes/1.19/analysis-javascript.md

@@ -22,6 +22,6 @@
 | Regular expression injection | Fewer false-positive results | This rule now identifies calls to `String.prototype.search` with more precision. |
 | Unbound event handler receiver | Fewer false-positive results | This rule now recognizes additional ways class methods can be bound. |
 | Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. |
-| Missing CSRF middleware | Fewer false-positive results | This rule now recognizes CSRF middleware from the [lusca](https://www.npmjs.com/package/lusca) package. |
+| Missing CSRF middleware | Fewer false-positive results | This rule now recognizes additional CSRF protection middlewares. |
 
 ## Changes to QL libraries

javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql

@@ -44,7 +44,7 @@ DataFlow::CallNode csrfMiddlewareCreation() {
     callee = DataFlow::moduleImport("csurf")
     or
     callee = DataFlow::moduleImport("lusca") and
-    result.getOptionArgument(0, "csrf").analyze().getABooleanValue() = true // any truthy value will enable CSRF
+    exists(result.getOptionArgument(0, "csrf"))
     or
     callee = DataFlow::moduleMember("lusca", "csrf")
   )

javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected

@@ -2,5 +2,4 @@
 | csurf_api_example.js:39:37:39:50 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_api_example.js:39:53:41:3 | functio ... e')\\n  } | here |
 | csurf_example.js:18:9:18:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_example.js:29:40:31:1 | functio ... sed')\\n} | here |
 | lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:23:42:25:1 | functio ... sed')\\n} | here |
-| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:27:55:29:1 | functio ... sed')\\n} | here |
-| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:31:40:33:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:27:40:29:1 | functio ... sed')\\n} | here |

javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js

@@ -24,10 +24,6 @@ app.post('/process', parseForm, lusca(), function (req, res) { // NOT OK - missi
   res.send('data is being processed')
 })
 
-app.post('/process', parseForm, lusca({csrf: false}), function (req, res) { // NOT OK - csrf disabled
-  res.send('data is being processed')
-})
-
 app.post('/process_unsafe', parseForm, function (req, res) { // NOT OK
   res.send('data is being processed')
 })