JS: Recognize req.user a cookie access

asgerf · asgerf · commit b98db62e8211 · 2020-01-24T09:44:20.000Z
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -12,16 +12,16 @@
 
 import javascript
 
-/** Gets the string `session` or `cookies`, the parts of `req` containing cookie data. */
-string sessionOrCookies() {
-  result = "session" or result = "cookies"
+/** Gets a property name of `req` which refers to data usually derived from cookie data. */
+string cookieProperty() {
+  result = "session" or result = "cookies" or result = "user"
 }
 
 /** Gets a data flow node that flows to the base of an access to `cookies` or `session`. */
 private DataFlow::SourceNode nodeLeadingToCookieAccess(DataFlow::TypeBackTracker t) {
   t.start() and
   exists(DataFlow::PropRead value |
-    value = result.getAPropertyRead(sessionOrCookies()).getAPropertyRead() and
+    value = result.getAPropertyRead(cookieProperty()).getAPropertyRead() and
 
     // Ignore accesses to values that are part of a CSRF or captcha check
     not value.getPropertyName().regexpMatch("(?i).*(csrf|xsrf|captcha).*") and
diff --git a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
@@ -4,3 +4,5 @@
 | lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:26:42:29:1 | functio ... sed')\\n} | here |
 | lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:31:40:34:1 | functio ... sed')\\n} | here |
 | unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:8:34:13:1 | (req, r ... Ok');\\n} | here |
+| unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:29:19:32:1 | (req, r ... Ok');\\n} | here |
+| unused_cookies.js:6:9:6:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | unused_cookies.js:34:22:37:1 | (req, r ... Ok');\\n} | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-352/unused_cookies.js b/javascript/ql/test/query-tests/Security/CWE-352/unused_cookies.js
@@ -26,4 +26,14 @@ app.post('/doWithCaptcha', (req, res) => { // OK - attacker can't guess the capt
     res.end('Ok');
 });
 
+app.post('/user', (req, res) => { // NOT OK - access to req.user is unprotected
+    somethingElse(req.user.name);
+    res.end('Ok');
+});
+
+app.post('/session', (req, res) => { // NOT OK - access to req.session is unprotected
+    somethingElse(req.session.name);
+    res.end('Ok');
+});
+
 app.listen();
