Merge pull request #4521 from erik-krogh/moreMiddle

codeql-ci · web-flow · commit 7ea8652f4957 · 2020-10-20T07:14:14.000-07:00
Approved by asgerf
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -100,18 +100,21 @@ DataFlow::CallNode csrfMiddlewareCreation() {
 }
 
 /**
- * Gets a data flow node that flows to the base of a write to `cookies`, `session`, or `user`,
- * where the written property has `csrf` or `xsrf` in its name.
+ * Gets a data flow node that flows to the base of a reference to `cookies`, `session`, or `user`,
+ * where the references property has `csrf` or `xsrf` in its name,
+ * and a property is either written or part of a comparison.
  */
-private DataFlow::SourceNode nodeLeadingToCsrfWrite(DataFlow::TypeBackTracker t) {
+private DataFlow::SourceNode nodeLeadingToCsrfWriteOrCheck(DataFlow::TypeBackTracker t) {
   t.start() and
-  result
-      .getAPropertyRead(cookieProperty())
-      .getAPropertyWrite()
-      .getPropertyName()
-      .regexpMatch("(?i).*(csrf|xsrf).*")
+  exists(DataFlow::PropRef ref |
+    ref = result.getAPropertyRead(cookieProperty()).getAPropertyReference() and
+    ref.getPropertyName().regexpMatch("(?i).*(csrf|xsrf).*")
+  |
+    ref instanceof DataFlow::PropWrite or
+    ref.(DataFlow::PropRead).asExpr() = any(EqualityTest c).getAnOperand()
+  )
   or
-  exists(DataFlow::TypeBackTracker t2 | result = nodeLeadingToCsrfWrite(t2).backtrack(t2, t))
+  exists(DataFlow::TypeBackTracker t2 | result = nodeLeadingToCsrfWriteOrCheck(t2).backtrack(t2, t))
 }
 
 /**
@@ -131,7 +134,7 @@ private Express::RouteHandler getAHandlerSettingCsrfCookie() {
  */
 predicate isCsrfProtectionRouteHandler(Express::RouteHandler handler) {
   DataFlow::parameterNode(handler.getRequestParameter()) =
-    nodeLeadingToCsrfWrite(DataFlow::TypeBackTracker::end())
+    nodeLeadingToCsrfWriteOrCheck(DataFlow::TypeBackTracker::end())
   or
   handler = getAHandlerSettingCsrfCookie()
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood2.js b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood2.js
@@ -89,4 +89,31 @@ var passport = require('passport');
     app.post('/changeEmail', function (req, res) {
         let newEmail = req.cookies["newEmail"];
     })
-});
+});
+
+
+(function () {
+    var app = express()
+
+    app.use(cookieParser())
+    app.use(passport.authorize({ session: true }))
+
+    function checkToken(req) {
+        if (req.headers.xsrfToken !== req.session.xsrfToken) {
+            throw new Error("Halt and catch fire!")
+        }
+    }
+
+    function setCsrfToken(req, response, next) {
+        req.session.xsrfToken = req.csrfToken();
+        next();
+    }
+
+    app.use(checkToken);
+
+    app.post('/changeEmail', function (req, res) {
+        let newEmail = req.cookies["newEmail"];
+    });
+
+    app.use(setCsrfToken); // There is nothing wrong with setting the token late, as long as it is checked early.
+});
