/**
 * @name Insecure configuration of Helmet security middleware
 * @description The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.
 * @kind problem
 * @problem.severity error
 * @security-severity 7.0
 * @precision high
 * @id js/insecure-helmet-configuration
 * @tags security
 *        external/cwe/cwe-693
 *        external/cwe/cwe-1021
 */

import javascript
import semmle.javascript.frameworks.ExpressModules
import semmle.javascript.frameworks.helmet.Helmet

from HelmetProperty helmetProperty, ExpressLibraries::HelmetRouteHandler helmet
where
  helmetProperty.isFalse() and
  helmetProperty.isImportantSecuritySetting() and
  helmetProperty.getHelmet() = helmet
select helmet,
  "Helmet security middleware, configured with security setting $@ set to 'false', which disables enforcing that feature.",
  helmetProperty, helmetProperty.getName()