-
Notifications
You must be signed in to change notification settings - Fork 1.9k
JS: add js/session-fixation query #7029
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
asgerf
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After briefly reading up on session fixation, my initial impression is that express-session in its default configuration is practically immune, and the attack is only viable if the site already has an XSS vulnerability.
With the warning/medium classification I think that's fine, but I'm curious if I missed anything?
Otherwise LGTM
Co-authored-by: Asger F <asgerf@github.com>
I don't think you did. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good from a docs perspective with just one tiny suggestion 👍🏼
Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
ethanpalm
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving again since my previous review was dismissed as stale.
Looks good from docs 🚀
|
Thanks for all your work on security analysis! I just wanted to update here that the latest version of |
Thanks for the heads up. I'll remove passport from our query. If you create a security advisory (and possibly request a CVE), then more people will probably upgrade to the new version. |
Inspired by this csharp query. (Which has no results on all of lgtm.com).
An evaluation looks ok-ish.
The new results appear to be TPs, but I'm not sure if they are worth fixing.
So I set the severity to
warningand the precision tomedium, so that the alerts are not shown by default.