codeql/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql at d142f830da8097c28722b79ef2920b8a2e2545dc · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
/**
 * @name Insecure configuration of Helmet security middleware
 * @description The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.
 * @kind problem
 * @problem.severity error
 * @security-severity 5.0
 * @precision high
 * @id js/insecure-helmet-configuration
 * @tags security
 *        cwe-693
 *        cwe-1021
 */

import semmle.javascript.frameworks.ExpressModules

class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
  ExpressLibraries::HelmetRouteHandler helmet;

  HelmetProperty() {
    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
  }

  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }

  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(true) }

  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }

  predicate isImportantSecuritySetting() {
    this.getName() in ["frameguard", "contentSecurityPolicy"]
    or
    // read from data extensions to allow enforcing other settings
    requiredHelmetSecuritySetting(this.getName())
  }
}

/*
 * Extend the required Helmet security settings using data extensions.
 * Docs: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/
 * For example:
 *
 * extensions:
 *  - addsTo:
 *      pack: codeql/javascript-all
 *      extensible: requiredHelmetSecuritySetting
 *    data:
 *      - name: "frameguard"
 *
 * Note: `frameguard` is an example: the query already enforces this setting, so it is not necessary to add it to the data extension.
 */

extensible predicate requiredHelmetSecuritySetting(string name);

from HelmetProperty helmetProperty, ExpressLibraries::HelmetRouteHandler helmet
where
  helmetProperty.isFalse() and
  helmetProperty.isImportantSecuritySetting() and
  helmetProperty.getHelmet() = helmet
select helmet, "Helmet route handler, called with $@ set to 'false'.", helmetProperty,
  helmetProperty.getName()