Merge pull request github#9261 from erik-krogh/passport

JS: remove support for passport in the session-fixation query

Author: erik-krogh

javascript/ql/src/Security/CWE-384/SessionFixation.ql

@@ -19,7 +19,7 @@ import javascript
  */
 pragma[inline]
 predicate isLoginSetup(Express::RouteSetup setup) {
-  // either some path that contains "login" with a write to `req.session`
+  // some path that contains "login" with a write to `req.session`
   setup.getPath().matches("%login%") and
   exists(
     setup
@@ -30,9 +30,7 @@ predicate isLoginSetup(Express::RouteSetup setup) {
         .getAPropertyRead("session")
         .getAPropertyWrite()
   )
-  or
-  // or an authentication method is used (e.g. `passport.authenticate`)
-  setup.getARouteHandler().(DataFlow::CallNode).getCalleeName() = "authenticate"
+  // passport used to be recognized, but they have since added built-in protection against session fixation
 }
 
 /**

javascript/ql/test/query-tests/Security/CWE-384/SessionFixation.expected

@@ -1,2 +1 @@
 | tst.js:9:1:14:2 | app.get ... n');\\n}) | Route handler does not invalidate session following login |
-| tst.js:27:1:29:2 | app.get ... n');\\n}) | Route handler does not invalidate session following login |

javascript/ql/test/query-tests/Security/CWE-384/tst.js

@@ -24,7 +24,7 @@ app.get('/login2', function (req, res) { // OK
 });
 
 // using passport
-app.get('/passport', passport.authenticate('local'), function (req, res) { // NOT OK - no regenerate
+app.get('/passport', passport.authenticate('local'), function (req, res) { // OK - passport is safe
     res.send('logged in');
 });