Insecure express middleware path JS-S1018

In Express, paths specified using string literals are case insensitive, whereas those specified using regex are case sensitive. When a case-insensitive regex is used as a middleware route, attackers can bypass the route by altering the casing of the endpoint they choose to hit.

To fix this issue, add an i flag to the regex to make them case insensitive.

Bad Practice

In the following example, hitting the /admin/users endpoint using the /AdMiN/users path will cause express to not run the middleware. This grants unauthorized clients access to the users resource.

import express from 'express'

const app = express()

app.use(/\/admin\/.*/, (req, res, next) => {
  if (req.user.isAdmin) return next()
  res.status(401).send("Unauthorized")
});

app.get('/admin/users/:id', (req, res) => {
    res.json(db.users.get(req.params.id))
});

Recommended

import express from 'express'

const app = express()

app.use(/\/admin\/.*/i, (req, res, next) => {
  // note the "i" flag ^
  if (req.user.isAdmin) return next()
  res.status(401).send("Unauthorized")
});

app.get('/admin/resource/:id', (req, res) => {
    res.json(db.users.get(req.params.id))
});

References

• OWASP A07:2021 - Identification and Authentication Failures
• CWE-178: Improper handling of case sensitivity