Insecure Helmet middle configuration - frameguard or CSP to 'false'

aegilops · aegilops · commit 3a885eaf9f64 · 2024-05-20T11:58:55.000+01:00
diff --git a/javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp b/javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp
@@ -0,0 +1,71 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            <a href="https://helmetjs.github.io/">Helmet</a> is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities.
+
+            This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:
+
+            <ul>
+                <li>Disabling frame protection</li>
+                <li>Disabling Content Security Policy</li>
+            </ul>
+
+            Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS).
+
+            Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.
+        </p>
+    </overview>
+    <recommendation>
+        <p>
+            To help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:
+            <ul>
+                <li><code>frameguard</code></li>
+                <li><code>contentSecurityPolicy</code></li>
+            </ul>
+        </p>
+    </recommendation>
+    <example>
+        <p>
+            The following code snippet demonstrates Helmet configured in an insecure manner:
+            <code class="language-javascript">
+                const helmet = require('helmet');
+                app.use(helmet({
+                    frameguard: false,
+                    contentSecurityPolicy: false
+                }));
+            </code>
+        </p>
+        <p>
+            In this example, the defaults are used, which enables frame protection and a default Content Security Policy.
+
+            <code class="language-javascript">
+                app.use(helmet());
+            </code>
+
+            You can also enable a custom Content Security Policy by passing an object to the <code>contentSecurityPolicy</code> key. For example, taken from the <a href="https://helmetjs.github.io/#content-security-policy">Helmet docs:
+
+            <code class="language-javascript">
+                app.use(
+                    helmet({
+                        contentSecurityPolicy: {
+                            directives: {
+                                "script-src": ["'self'", "example.com"],
+                                "style-src": null,
+                            },
+                        },
+                    })
+                );
+            <code>
+        <p>
+            
+        </p>
+    </example>
+    <references>
+        <ul>
+            <li>
+                <a href="https://helmetjs.github.io/">helmet.js website</a>
+            </li>
+        </ul>
+    </references>
+</qhelp>
diff --git a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -0,0 +1,36 @@
+/**
+ * @name Insecure configuration of Helmet security middleware
+ * @description The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 5.0
+ * @precision high
+ * @id javascript/insecure-helmet-configuration
+ * @tags security
+ *        cwe-693
+ *        cwe-1021
+ */
+
+import semmle.javascript.frameworks.ExpressModules
+
+class HelmetProperty extends Property {
+  HelmetProperty() {
+    exists(ExpressLibraries::HelmetRouteHandler helmet |
+      helmet.(DataFlow::CallNode).getAnArgument().asExpr().(ObjectExpr).getAProperty() = this
+    )
+  }
+
+  predicate isFalse() { this.getInit().(BooleanLiteral).getBoolValue() = false }
+
+  predicate isImportantSecuritySetting() {
+    this.getName() in ["frameguard", "contentSecurityPolicy"]
+    // read from data extensions to allow enforcing other settings
+    // TODO
+  }
+}
+
+from HelmetProperty helmetSetting
+where
+  helmetSetting.isFalse() and
+  helmetSetting.isImportantSecuritySetting()
+select helmetSetting, "Helmet route handler, called with $@ set to 'false'", helmetSetting, helmetSetting.getName()
