CodeQL documentation

Case-sensitive middleware path

ID: js/case-sensitive-middleware-path
Kind: problem
Security severity: 7.3
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-178
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Using a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.

Recommendation

When using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the i flag.

Example

The following example restricts access to paths in the /admin path to users logged in as administrators:

const app = require('express')();

app.use(/\/admin\/.*/, (req, res, next) => {
    if (!req.user.isAdmin) {
        res.status(401).send('Unauthorized');
    } else {
        next();
    }
});

app.get('/admin/users/:id', (req, res) => {
    res.send(app.database.users[req.params.id]);
});

A path such as /admin/users/45 can only be accessed by an administrator. However, the path /ADMIN/USERS/45 can be accessed by anyone because the upper-case path doesn’t match the case-sensitive regular expression, whereas Express considers it to match the path string /admin/users.

The issue can be fixed by adding the i flag to the regular expression:

const app = require('express')();

app.use(/\/admin\/.*/i, (req, res, next) => {
    if (!req.user.isAdmin) {
        res.status(401).send('Unauthorized');
    } else {
        next();
    }
});

app.get('/admin/users/:id', (req, res) => {
    res.send(app.database.users[req.params.id]);
});

References

  • © GitHub, Inc.
  • Terms
  • Privacy