Skip to content

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Nov 2, 2021

Inspired by this csharp query. (Which has no results on all of lgtm.com).

An evaluation looks ok-ish.
The new results appear to be TPs, but I'm not sure if they are worth fixing.
So I set the severity to warning and the precision to medium, so that the alerts are not shown by default.

@erik-krogh erik-krogh added the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Nov 2, 2021
@erik-krogh erik-krogh removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Nov 3, 2021
@erik-krogh erik-krogh marked this pull request as ready for review November 3, 2021 14:54
@erik-krogh erik-krogh requested a review from a team as a code owner November 3, 2021 14:54
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After briefly reading up on session fixation, my initial impression is that express-session in its default configuration is practically immune, and the attack is only viable if the site already has an XSS vulnerability.

With the warning/medium classification I think that's fine, but I'm curious if I missed anything?

Otherwise LGTM

Co-authored-by: Asger F <asgerf@github.com>
@erik-krogh
Copy link
Contributor Author

After briefly reading up on session fixation, my initial impression is that express-session in its default configuration is practically immune, and the attack is only viable if the site already has an XSS vulnerability.

With the warning/medium classification I think that's fine, but I'm curious if I missed anything?

I don't think you did.
But some developers care about it anyway.

asgerf
asgerf previously approved these changes Nov 9, 2021
@erik-krogh erik-krogh added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Nov 9, 2021
ethanpalm
ethanpalm previously approved these changes Nov 10, 2021
Copy link
Contributor

@ethanpalm ethanpalm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good from a docs perspective with just one tiny suggestion 👍🏼

Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
@erik-krogh erik-krogh dismissed stale reviews from ethanpalm and asgerf via ab5d945 November 10, 2021 07:24
Copy link
Contributor

@ethanpalm ethanpalm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving again since my previous review was dismissed as stale.

Looks good from docs 🚀

@erik-krogh erik-krogh merged commit 140a70f into github:main Nov 11, 2021
@jaredhanson
Copy link

Thanks for all your work on security analysis! I just wanted to update here that the latest version of passport, 0.6.0, is now actively defending against session fixation attacks by default. Sessions are regenerated internally, and there's no longer any need to do it at the application-level. The announcement has more info. Let me know if you want any further details.

@erik-krogh
Copy link
Contributor Author

Thanks for all your work on security analysis! I just wanted to update here that the latest version of passport, 0.6.0, is now actively defending against session fixation attacks by default. Sessions are regenerated internally, and there's no longer any need to do it at the application-level. The announcement has more info. Let me know if you want any further details.

Thanks for the heads up. I'll remove passport from our query.

If you create a security advisory (and possibly request a CVE), then more people will probably upgrade to the new version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation JS ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants