Cross-site Request Forgery (CSRF) found in csurf package

[IdanAdar]

Do we have alternative packages to csurf? it seems unmaintained, and recently a vulnerability was discovered.
https://snyk.io/vuln/SNYK-JS-CSURF-3021144

Given the popularity of this package, the impact radius is large...

[dougwilson]

Hi @IdanAdar sorry about that. The tracker was flooded and I had to limit it while I got some time to add a message. You'll need to choose another module, unfortunately.

[IdanAdar]

@dougwilson, is this the official decision of the ExpressJS org which houses this package?
This package is popular and I am not aware of alternatives, so please re-open this discussion. It cannot be one-sided decision.

[dougwilson]

Hi @IdanAdar yes, it is. Do you have any suggestions for fixing the underlying issue? The module gets almost a monthly report about the fact that you can do exactly what the OAWASP csrf articles says is possible. If you would like to take over the module, the license allows that and we can direct everyone to the version you have 👍

[IdanAdar]

What alternative module are you suggesting the world to use, please?

[dougwilson]

One which is not "vulnerable". I have not evaluated others at this time so am not looking to make a specific suggestion and opening myself to liability. If you have a suggestion that would be awesome and I can list it 👍 You may also try contacting that security researcher and see if they have a suggested module; you're also welcome to fork the module and fix it such that it is secure and I'd be happy to point to your module. I'm not sure what else you're looking for. Any help regarding that answer is appreciated, as I don't have an answer for ya.

Edit: you can also try reaching out to Snyk for a suggestion, as they are the ones who first blacklisted the module, and so I am just putting notice up on the repo and stuff now that it's deprecated, as that is the word from Snyk.

[dougwilson]

FWIW I just sent Snyk a request for what specific code changes would solve the issue at hand and remove the blacklist.

[dougwilson]

Hi @IdanAdar I just wanted to follow up here since you gave the above a thumbs up that I have just got a response back that the request is being escalated, but nothing further as of yet.

[dougwilson]

The only response I have gotten was simply to point to their own Synk page and it took a bit to even have them realize they were talking to the package maintainer, and then still no code guidance. I'm going to close this as it does not seem like they are willing to help and I don't have the energy to fight them about it.

[dougwilson]

And to help make it clear the frustration here: it states that the package does not value the XSRF-Token cookie, but if you have used the package you will find that it sets no such cookie name, so why would it even look for that cookie name? It sets a cookie named _csrf, which is also listed in the blurb and it does indeed validate that cookie value against the token submitted from the front end, which is does though a query param, body param, or custom header. That makes up the two pieces of the double-submit pattern. There is no third piece (XSRF-Token cookie) involved. I have not received any PoC app I can run that actually demonstrates an issue in the package, so I have no way to actually figure anything out, either.

After the Snyk blacklist of the package, I have archived and deprecated out of frustration as it will just be endless issues opened in the package from users who don't know what to do, and I have no PoC to work against to solve anything. The security side of these reports is very one sided and places like Snyk wield large power to effectively blacklist a module and never even contact the author about anything. Then when one tries to contact them, you just get some low level support who doesn't understand the technical details and no help. And since Snyk lists the version range as * even releasing a new version won't make the vulun go away; it will turn in to another round of begging and pleading with their support staff; I had to do this wither another module and it was just hair-pulling experience I'm not going to bother with any longer.

[dougwilson]

I will add that I still have not been able to reach beyond the front line support in Snyk which has not been helpful in any way, just proving the link above. Also if this package were really that popular, one would think that lots of folks would be reaching out/offering to help/anything. This is the only one in over a week so far, so either it's just not very popular or no one actually cares to help, which is a demonstration for why it was simply deprecated after Snyk blacklisted the module.

[IdanAdar]

I’m trying some internal contacts to get proper response from Snyk. I agree it’s irresponsible from them.

[dougwilson]

Thanks, it is appreciated. For more context (sorry this all came down fast and is just very upsetting -- especially Snyk blacklisting the module without even reaching out before hand), the security article they reference I did have correspondence with, but I asked over and over again for a PoC to demonstrate the issue and they refused, saying it was the client's code. I gave them the example from the README and I asked for them to alter it (as necessary) and provide the steps to reproduce the issue and they told me they were just a product manager and didn't know how to run the Node.js code. I helped get it running, but still no instructions. I then made multiple changes and provided the person them asking if they addressed the issues or not, but no. I was left just I guess trying to guess what I was supposed to do and after that going on for 2 months, I threw up my hands and said if he thinks it's vulnerable, then I guess it is and left it as that, as I have no idea what exactly I'm supposed to be changing to fix whatever. I'm not CSRF expect and didn't even write the module. I took it over as that author left the project, but I don't have time to play 1 million questions with some security researchers who won't even provide a PoC or a patch. Once Snyk blacklisted it, my experience interactive with Snyk tells me just to abandon the module at that point. I didn't even deprecate it until you filed this issue bringing up that Snyk blacklisted it.