JS: recognize CSRF middleware from lusca package

Author: asger-semmle

javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql

@@ -38,12 +38,15 @@ predicate hasCookieMiddleware(Express::RouteHandlerExpr expr, Express::RouteHand
  *   // protected from CSRF
  * })
  * ```
- *
- * Currently the predicate only detects `csurf`-based protectors.
  */
 DataFlow::CallNode csrfMiddlewareCreation() {
-  exists (DataFlow::ModuleImportNode mod | result = mod.getACall() |
-    mod.getPath() = "csurf"
+  exists (DataFlow::SourceNode callee | result = callee.getACall() |
+    callee = DataFlow::moduleImport("csurf")
+    or
+    callee = DataFlow::moduleImport("lusca") and
+    result.getOptionArgument(0, "csrf").analyze().getABooleanValue() = true // any truthy value will enable CSRF
+    or
+    callee = DataFlow::moduleMember("lusca", "csrf")
   )
 }
 

javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected

@@ -1,3 +1,6 @@
 | MissingCsrfMiddlewareBad.js:7:9:7:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | MissingCsrfMiddlewareBad.js:10:26:11:1 | functio ... es) {\\n} | here |
 | csurf_api_example.js:39:37:39:50 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_api_example.js:39:53:41:3 | functio ... e')\\n  } | here |
 | csurf_example.js:18:9:18:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_example.js:29:40:31:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:23:42:25:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:27:55:29:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:31:40:33:1 | functio ... sed')\\n} | here |

javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js

@@ -0,0 +1,33 @@
+var express = require('express')
+var cookieParser = require('cookie-parser')
+var bodyParser = require('body-parser')
+
+var parseForm = bodyParser.urlencoded({ extended: false })
+var lusca = require('lusca');
+
+var app = express()
+app.use(cookieParser())
+
+app.post('/process', parseForm, lusca.csrf(), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf:true}), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf:{}}), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca(), function (req, res) { // NOT OK - missing csrf option
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf: false}), function (req, res) { // NOT OK - csrf disabled
+  res.send('data is being processed')
+})
+
+app.post('/process_unsafe', parseForm, function (req, res) { // NOT OK
+  res.send('data is being processed')
+})