Merge pull request #42 from trailofbits/apollo-csrf-update

Update v4-csrf-prevention rule and add autofix
trailofbits · Jan 16, 2024 · 90561e1 · 90561e1
2 parents 04b8335 + f364d8d
commit 90561e1
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/javascript/apollo-graphql/v4-csrf-prevention.ts b/javascript/apollo-graphql/v4-csrf-prevention.ts
@@ -1,4 +1,4 @@
-// OK: Lacks 'csrfPrevention: true', but on v4 this option is false by default
+// OK: Lacks 'csrfPrevention: true', but on v4 this option is true by default
 //ok: v4-csrf-prevention
 const apollo_server_1 = new ApolloServer({
     typeDefs,

diff --git a/javascript/apollo-graphql/v4-csrf-prevention.yaml b/javascript/apollo-graphql/v4-csrf-prevention.yaml
@@ -18,6 +18,9 @@ rules:
       description: "CSRF protection disabled"
       references:
         - https://www.apollographql.com/docs/apollo-server/v3/security/cors/#preventing-cross-site-request-forgery-csrf
+      fix-regex:
+        regex: 'csrfPrevention:\s*false'
+        replacement: "csrfPrevention: true"
 
     patterns:
       - pattern: |