-
-
Notifications
You must be signed in to change notification settings - Fork 106
/
Copy pathdetect-no-csrf-before-method-override.js
46 lines (40 loc) · 1.34 KB
/
detect-no-csrf-before-method-override.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
/**
* Check and see if CSRF middleware is before methodOverride
* @author Adam Baldwin
*/
'use strict';
//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
module.exports = {
meta: {
type: 'error',
docs: {
description: 'Detects Express "csrf" middleware setup before "method-override" middleware.',
category: 'Possible Security Vulnerability',
recommended: true,
url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-no-csrf-before-method-override.md',
},
},
create(context) {
let csrf = false;
return {
CallExpression: function (node) {
const token = context.getSourceCode().getTokens(node)[0];
const nodeValue = token.value;
if (nodeValue === 'express') {
if (!node.callee || !node.callee.property) {
return;
}
if (node.callee.property.name === 'methodOverride' && csrf) {
context.report({ node: node, message: 'express.csrf() middleware found before express.methodOverride()' });
}
if (node.callee.property.name === 'csrf') {
// Keep track of found CSRF
csrf = true;
}
}
},
};
},
};