Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS/TS: insecure Helmet middleware (new query) #16540

Merged
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
3a885ea
Insecure Helmet middle configuration - frameguard or CSP to 'false'
aegilops May 20, 2024
8300aeb
Tests for InsecureHelmet
aegilops May 20, 2024
83037b1
Adjust structure to avoid warnings about message
aegilops May 21, 2024
bda794f
Fixed wrong filenames in the InsecureHelmet tests
aegilops May 21, 2024
68e21a5
Fixed query help formatting issues
aegilops May 21, 2024
65dfd4c
Merge branch 'main' into aegilops/js/insecure-helmet-middleware
aegilops May 21, 2024
f5d465f
Added data extension to allow setting extra required Helmet features
aegilops Jun 7, 2024
29322f5
Merge branch 'aegilops/js/insecure-helmet-middleware' of https://gith…
aegilops Jun 7, 2024
465d64a
Removed br tags
aegilops Jun 7, 2024
7136763
Formatting
aegilops Jun 7, 2024
43a140e
Merge branch 'main' into aegilops/js/insecure-helmet-middleware
aegilops Jun 7, 2024
975811a
Change layout of qhelp example code
aegilops Jun 7, 2024
7ee5655
Merge branch 'aegilops/js/insecure-helmet-middleware' of https://gith…
aegilops Jun 7, 2024
da9e1e6
Moved examples into separate files
aegilops Jun 18, 2024
81ef255
Change to helmetProperty from helmetSetting variable name
aegilops Jun 19, 2024
f4691b1
Changed to more-modern Dataflow libraries
aegilops Jun 19, 2024
de96d39
Renamed to helmetProperty everywhere
aegilops Jun 19, 2024
8a3cec4
Fix formatting for check
aegilops Jun 19, 2024
d142f83
Change note and changed name of query in `.ql` file
aegilops Jun 19, 2024
3a98edb
Merge branch 'main' into aegilops/js/insecure-helmet-middleware
aegilops Jun 19, 2024
252c9e9
Added data extension to set defaults, updated help, added README to e…
aegilops Jun 19, 2024
26f1b36
Fixed formatting
aegilops Jun 19, 2024
a07639f
Set severity to 7.0, in line with other configuration queries
aegilops Jun 19, 2024
1ecd727
Renamed README to CUSTOMIZING, removed details from qhelp and referen…
aegilops Jun 19, 2024
f227789
Fixed expected test results for Helmet query
aegilops Jun 26, 2024
d1d0829
More external references
aegilops Jul 1, 2024
fc6fba8
Fixed CWE tags
aegilops Jul 1, 2024
c003f26
Fixed missing li closing tag
aegilops Jul 8, 2024
d896fdf
Merge branch 'main' into aegilops/js/insecure-helmet-middleware
aegilops Jul 8, 2024
2aff2a7
Fixed code markup
aegilops Jul 8, 2024
5a3328b
Merge branch 'aegilops/js/insecure-helmet-middleware' of https://gith…
aegilops Jul 8, 2024
412ad17
Merge branch 'main' into aegilops/js/insecure-helmet-middleware
aegilops Jul 11, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 93 additions & 0 deletions javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
<qhelp>
<overview>
<p>
<a href="https://helmetjs.github.io/">Helmet</a> is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities.

This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:
</p>

<ul>
<li>Disabling frame protection</li>
<li>Disabling Content Security Policy</li>
</ul>

<p>
Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS).

Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.
</p>

<p>
Users of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL <a href="https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/">data extensions</a>.
</p>

<pre>
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: requiredHelmetSecuritySetting
data:
- name: "frameguard"
</pre>

<p>
Note: <code>frameguard</code> is an example: the query already enforces this setting, so it is not necessary to add it to the data extension.
</p>

</overview>
<recommendation>
<p>
To help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:
</p>

<ul>
<li><code>frameguard</code></li>
<li><code>contentSecurityPolicy</code></li>
</ul>
</recommendation>
<example>
<p>
The following code snippet demonstrates Helmet configured in an insecure manner:
</p>

<pre>
const helmet = require('helmet');
app.use(helmet({
frameguard: false,
contentSecurityPolicy: false
}));
</pre>
aegilops marked this conversation as resolved.
Show resolved Hide resolved

<p>
In this example, the defaults are used, which enables frame protection and a default Content Security Policy.
</p>

<pre>
app.use(helmet());
</pre>

<p>
You can also enable a custom Content Security Policy by passing an object to the <code>contentSecurityPolicy</code> key. For example, taken from the <a href="https://helmetjs.github.io/#content-security-policy">Helmet docs</a>:
</p>

<pre>
app.use(
helmet({
contentSecurityPolicy: {
directives: {
"script-src": ["'self'", "example.com"],
"style-src": null,
},
},
})
);
</pre>

</example>
<references>
aegilops marked this conversation as resolved.
Show resolved Hide resolved
<li>
<a href="https://helmetjs.github.io/">helmet.js website</a>
</li>
</references>
</qhelp>
58 changes: 58 additions & 0 deletions javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
/**
* @name Insecure configuration of Helmet security middleware
* @description The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.
* @kind problem
* @problem.severity error
* @security-severity 5.0
* @precision high
* @id javascript/insecure-helmet-configuration
* @tags security
* cwe-693
* cwe-1021
*/

import semmle.javascript.frameworks.ExpressModules

class HelmetProperty extends Property {
ExpressLibraries::HelmetRouteHandler helmet;

HelmetProperty() {
helmet.(DataFlow::CallNode).getAnArgument().asExpr().(ObjectExpr).getAProperty() = this
}

ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }

predicate isFalse() { this.getInit().(BooleanLiteral).getBoolValue() = false }

predicate isImportantSecuritySetting() {
this.getName() in ["frameguard", "contentSecurityPolicy"]
or
// read from data extensions to allow enforcing other settings
requiredHelmetSecuritySetting(this.getName())
}
}
aegilops marked this conversation as resolved.
Show resolved Hide resolved

/*
* Extend the required Helmet security settings using data extensions.
* Docs: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/
* For example:
*
* extensions:
* - addsTo:
* pack: codeql/javascript-all
* extensible: requiredHelmetSecuritySetting
* data:
* - name: "frameguard"
*
* Note: `frameguard` is an example: the query already enforces this setting, so it is not necessary to add it to the data extension.
*/

extensible predicate requiredHelmetSecuritySetting(string name);
aegilops marked this conversation as resolved.
Show resolved Hide resolved

from HelmetProperty helmetSetting, ExpressLibraries::HelmetRouteHandler helmet
aegilops marked this conversation as resolved.
Show resolved Hide resolved
where
helmetSetting.isFalse() and
helmetSetting.isImportantSecuritySetting() and
helmetSetting.getHelmet() = helmet
select helmet, "Helmet route handler, called with $@ set to 'false'.", helmetSetting,
helmetSetting.getName()
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
| InsecureHelmetBad.js:7:5:7:32 | content ... : false | Helmet route handler, called with $@ set to 'false' | InsecureHelmetBad.js:7:5:7:32 | content ... : false | contentSecurityPolicy |
| InsecureHelmetBad.js:8:5:8:21 | frameguard: false | Helmet route handler, called with $@ set to 'false' | InsecureHelmetBad.js:8:5:8:21 | frameguard: false | frameguard |
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Security/CWE-693/InsecureHelmet.ql
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
const express = require("express");
const helmet = require("helmet");

const app = express();

app.use(helmet({
contentSecurityPolicy: false, // BAD: switch off default CSP
frameguard: false // BAD: switch off default frameguard
}));

app.get("/", (req, res) => {
res.send("Hello, world!");
});

app.listen(3000, () => {
console.log("App is listening on port 3000");
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
const express = require("express");
const helmet = require("helmet");

const app = express();

app.use(helmet()); // GOOD: use the defaults

app.get("/", (req, res) => {
res.send("Hello, world!");
});

app.listen(3000, () => {
console.log("App is listening on port 3000");
});
Loading