codeql/javascript/ql/test/query-tests/Security/CWE-352/csurf_api_example.js at bb8f4529bf8e2fd5671b9c118351aec1717a6b1c · asgerf/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
// Adapted from https://github.com/expressjs/csurf, which is
// licensed under the MIT license; see file LICENSE.

var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')

// create express app
var app = express()

// create api router
var api = createApiRouter()

// mount api before csrf is appended to the app stack
app.use('/api', api)

// now add csrf and other middlewares, after the "/api" was mounted
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))

app.get('/form', function (req, res) {
  let newEmail = req.cookies["newEmail"];
  // pass the csrfToken to the view
  res.render('send', { csrfToken: req.csrfToken() })
})

app.post('/process', function (req, res) { // OK
  let newEmail = req.cookies["newEmail"];
  res.send('csrf was required to get here')
})

function createApiRouter () {
  var router = new express.Router()

  router.post('/getProfile', function (req, res) { // OK - cookies are not parsed
    let newEmail = req.cookies["newEmail"];
    res.send('no csrf to get here')
  })

  router.post('/getProfile_unsafe', cookieParser(), function (req, res) { // $ Alert - may use cookies
    let newEmail = req.cookies["newEmail"];
    res.send('no csrf to get here')
  }) // $ RelatedLocation

  return router
}