codeql/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql at 3a885eaf9f64b190e89d420f4443e23ccb115951 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
/**
 * @name Insecure configuration of Helmet security middleware
 * @description The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.
 * @kind problem
 * @problem.severity error
 * @security-severity 5.0
 * @precision high
 * @id javascript/insecure-helmet-configuration
 * @tags security
 *        cwe-693
 *        cwe-1021
 */

import semmle.javascript.frameworks.ExpressModules

class HelmetProperty extends Property {
  HelmetProperty() {
    exists(ExpressLibraries::HelmetRouteHandler helmet |
      helmet.(DataFlow::CallNode).getAnArgument().asExpr().(ObjectExpr).getAProperty() = this
    )
  }

  predicate isFalse() { this.getInit().(BooleanLiteral).getBoolValue() = false }

  predicate isImportantSecuritySetting() {
    this.getName() in ["frameguard", "contentSecurityPolicy"]
    // read from data extensions to allow enforcing other settings
    // TODO
  }
}

from HelmetProperty helmetSetting
where
  helmetSetting.isFalse() and
  helmetSetting.isImportantSecuritySetting()
select helmetSetting, "Helmet route handler, called with $@ set to 'false'", helmetSetting, helmetSetting.getName()