Case-sensitive middleware path¶
ID: js/case-sensitive-middleware-path
Kind: problem
Security severity: 7.3
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-178
Query suites:
- javascript-code-scanning.qls
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Using a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.
Recommendation¶
When using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the i flag.
Example¶
The following example restricts access to paths in the /admin path to users logged in as administrators:
const app = require('express')();
app.use(/\/admin\/.*/, (req, res, next) => {
if (!req.user.isAdmin) {
res.status(401).send('Unauthorized');
} else {
next();
}
});
app.get('/admin/users/:id', (req, res) => {
res.send(app.database.users[req.params.id]);
});
A path such as /admin/users/45 can only be accessed by an administrator. However, the path /ADMIN/USERS/45 can be accessed by anyone because the upper-case path doesn’t match the case-sensitive regular expression, whereas Express considers it to match the path string /admin/users.
The issue can be fixed by adding the i flag to the regular expression:
const app = require('express')();
app.use(/\/admin\/.*/i, (req, res, next) => {
if (!req.user.isAdmin) {
res.status(401).send('Unauthorized');
} else {
next();
}
});
app.get('/admin/users/:id', (req, res) => {
res.send(app.database.users[req.params.id]);
});
References¶
Common Weakness Enumeration: CWE-178.