In Express, paths specified using string literals are case insensitive, whereas those specified using regex are case sensitive. When a case-insensitive regex is used as a middleware route, attackers can bypass the route by altering the casing of the endpoint they choose to hit.
To fix this issue, add an i
flag to the regex to make them case insensitive.
In the following example, hitting the /admin/users
endpoint using the /AdMiN/users
path will cause express to not run the middleware.
This grants unauthorized clients access to the users
resource.
import express from 'express'
const app = express()
app.use(/\/admin\/.*/, (req, res, next) => {
if (req.user.isAdmin) return next()
res.status(401).send("Unauthorized")
});
app.get('/admin/users/:id', (req, res) => {
res.json(db.users.get(req.params.id))
});
import express from 'express'
const app = express()
app.use(/\/admin\/.*/i, (req, res, next) => {
// note the "i" flag ^
if (req.user.isAdmin) return next()
res.status(401).send("Unauthorized")
});
app.get('/admin/resource/:id', (req, res) => {
res.json(db.users.get(req.params.id))
});