From 0ad20d414fc9d8002eb35cc02e27166688a427d8 Mon Sep 17 00:00:00 2001 From: Alistair Laing Date: Thu, 19 Dec 2024 12:11:54 +0000 Subject: [PATCH] Moving away from csurf and to csrf-sync Fixes a security vulnerability https://github.com/advisories/GHSA-pxg6-pf52-xh8x and brings our UI more inline with HMPPS Typescript template ``` csurf has been deprecated for some time and this removes that dependency and implements the synchronizer token pattern using csrf-sync. Note: Previously csurf used to generate new tokens on every request. The new library generates tokens once per session which is preferrable due to the extra calls to redis that per-request would generate. It is possible to force a refresh/revocation of a token by explicitly calling: req.csrfToken(true) See PR #481 ``` Quote from https://github.com/ministryofjustice/hmpps-template-typescript/blob/2e139f5e9e3a6dbfaa0c6bbbc240513556102a8f/CHANGELOG.md PR: https://github.com/ministryofjustice/hmpps-template-typescript/pull/481/files --- package-lock.json | 111 +++------------------------------ package.json | 3 +- server/middleware/setUpCsrf.ts | 14 ++++- 3 files changed, 21 insertions(+), 107 deletions(-) diff --git a/package-lock.json b/package-lock.json index f76614f1bf..8e3e80ecd4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -25,7 +25,7 @@ "compression": "^1.7.4", "connect-flash": "^0.1.1", "connect-redis": "^7.0.0", - "csurf": "^1.11.0", + "csrf-sync": "^4.0.3", "date-fns": "^3.0.0", "dotenv": "^16.4.4", "express": "^4.21.0", @@ -64,7 +64,6 @@ "@types/compression": "^1.7.2", "@types/connect-flash": "0.0.40", "@types/cookie-session": "^2.0.44", - "@types/csurf": "^1.11.2", "@types/express-session": "^1.17.5", "@types/http-errors": "^2.0.0", "@types/jest": "^29.0.0", @@ -3583,16 +3582,6 @@ "dev": true, "license": "MIT" }, - "node_modules/@types/csurf": { - "version": "1.11.5", - "resolved": "https://registry.npmjs.org/@types/csurf/-/csurf-1.11.5.tgz", - "integrity": "sha512-5rw87+5YGixyL2W8wblSUl5DSZi5YOlXE6Awwn2ofLvqKr/1LruKffrQipeJKUX44VaxKj8m5es3vfhltJTOoA==", - "dev": true, - "license": "MIT", - "dependencies": { - "@types/express-serve-static-core": "*" - } - }, "node_modules/@types/express": { "version": "4.17.21", "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.21.tgz", @@ -5913,15 +5902,6 @@ "dev": true, "license": "MIT" }, - "node_modules/cookie": { - "version": "0.4.0", - "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz", - "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg==", - "license": "MIT", - "engines": { - "node": ">= 0.6" - } - }, "node_modules/cookie-session": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/cookie-session/-/cookie-session-2.1.0.tgz", @@ -6049,83 +6029,13 @@ "node": "*" } }, - "node_modules/csrf": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz", - "integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==", - "license": "MIT", - "dependencies": { - "rndm": "1.2.0", - "tsscmp": "1.0.6", - "uid-safe": "2.1.5" - }, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/csurf": { - "version": "1.11.0", - "resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz", - "integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==", - "deprecated": "Please use another csrf package", - "license": "MIT", - "dependencies": { - "cookie": "0.4.0", - "cookie-signature": "1.0.6", - "csrf": "3.1.0", - "http-errors": "~1.7.3" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/csurf/node_modules/depd": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz", - "integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==", - "license": "MIT", - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/csurf/node_modules/http-errors": { - "version": "1.7.3", - "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz", - "integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==", - "license": "MIT", + "node_modules/csrf-sync": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/csrf-sync/-/csrf-sync-4.0.3.tgz", + "integrity": "sha512-wXzltBBzt/7imzDt6ZT7G/axQG7jo4Sm0uXDUzFY8hR59qhDHdjqpW2hojS4oAVIZDzwlMQloIVCTJoDDh0wwA==", + "license": "ISC", "dependencies": { - "depd": "~1.1.2", - "inherits": "2.0.4", - "setprototypeof": "1.1.1", - "statuses": ">= 1.5.0 < 2", - "toidentifier": "1.0.0" - }, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/csurf/node_modules/setprototypeof": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.1.tgz", - "integrity": "sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw==", - "license": "ISC" - }, - "node_modules/csurf/node_modules/statuses": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz", - "integrity": "sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA==", - "license": "MIT", - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/csurf/node_modules/toidentifier": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz", - "integrity": "sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw==", - "license": "MIT", - "engines": { - "node": ">=0.6" + "http-errors": "^2.0.0" } }, "node_modules/cypress": { @@ -14001,12 +13911,6 @@ "rimraf": "bin.js" } }, - "node_modules/rndm": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz", - "integrity": "sha512-fJhQQI5tLrQvYIYFpOnFinzv9dwmR7hRnUz1XqP3OJ1jIweTNOd6aTO4jwQSgcBSFUB+/KHJxuGneime+FdzOw==", - "license": "MIT" - }, "node_modules/roarr": { "version": "2.15.4", "resolved": "https://registry.npmjs.org/roarr/-/roarr-2.15.4.tgz", @@ -15510,6 +15414,7 @@ "version": "1.0.6", "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz", "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==", + "dev": true, "license": "MIT", "engines": { "node": ">=0.6.x" diff --git a/package.json b/package.json index 8aaf8aee6c..98c8ac687a 100644 --- a/package.json +++ b/package.json @@ -134,7 +134,7 @@ "compression": "^1.7.4", "connect-flash": "^0.1.1", "connect-redis": "^7.0.0", - "csurf": "^1.11.0", + "csrf-sync": "^4.0.3", "date-fns": "^3.0.0", "dotenv": "^16.4.4", "express": "^4.21.0", @@ -173,7 +173,6 @@ "@types/compression": "^1.7.2", "@types/connect-flash": "0.0.40", "@types/cookie-session": "^2.0.44", - "@types/csurf": "^1.11.2", "@types/express-session": "^1.17.5", "@types/http-errors": "^2.0.0", "@types/jest": "^29.0.0", diff --git a/server/middleware/setUpCsrf.ts b/server/middleware/setUpCsrf.ts index 6f9a1a5454..e736173e43 100644 --- a/server/middleware/setUpCsrf.ts +++ b/server/middleware/setUpCsrf.ts @@ -1,5 +1,5 @@ import { Router } from 'express' -import csurf from 'csurf' +import { csrfSync } from 'csrf-sync' const testMode = process.env.NODE_ENV === 'test' @@ -8,7 +8,17 @@ export default function setUpCsrf(): Router { // CSRF protection if (!testMode) { - router.use(csurf()) + const { + csrfSynchronisedProtection, // This is the default CSRF protection middleware. + } = csrfSync({ + // By default, csrf-sync uses x-csrf-token header, but we use the token in forms and send it in the request body, so change getTokenFromRequest so it grabs from there + getTokenFromRequest: req => { + // eslint-disable-next-line no-underscore-dangle + return req.body._csrf + }, + }) + + router.use(csrfSynchronisedProtection) } router.use((req, res, next) => {