Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add activity feed API #988

Closed
wants to merge 1 commit into from
Closed

Add activity feed API #988

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions graphite-demo/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
const express = require('express');
const app = express();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

A CSRF middleware was not detected in your express application. Ensure you are either using one such as csurf or csrf (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
const app = express();
const express = require('express');
const csurf = require('csurf'); // Import csurf for CSRF protection
const cookieParser = require('cookie-parser'); // Import cookie-parser to use with csurf
const app = express();
const port = 3000;
// Use cookie-parser middleware
app.use(cookieParser());
// Use csurf middleware for CSRF protection
app.use(csurf({ cookie: true }));
// Fake data for the activity feed
const activityFeed = [
{
id: 1000,
title: 'New Photo Uploaded',
body: 'Alice uploaded a new photo to her album.'
},
{
id: 2000,
title: 'Comment on Post',
body: "Bob commented on Charlie's post."
},
{
id: 13,
title: 'Status Update',
body: 'Charlie updated their status: "Excited about the new project!"'
}
];
app.get('/feed', (req, res) => {
// Include CSRF token in the response
res.json({ activityFeed, csrfToken: req.csrfToken() });
});
app.listen(port, () => {
console.log(`Server running on port ${port}`);
});
View step-by-step instructions
  1. Install the csurf middleware by running the command: $ npm install csurf.
  2. Import csurf at the top of your file with const csurf = require('csurf');.
  3. Add the csurf middleware to your Express app. You can do this by adding app.use(csurf()); after initializing your Express app with const app = express();.
  4. Ensure that your application is using a session middleware or cookie parser, as csurf requires either to store the CSRF tokens. If not already included, install and configure one, such as express-session or cookie-parser.
  5. Update your routes to handle CSRF tokens. For example, in your /feed route, you can include the CSRF token in the response by adding res.json({ activityFeed, csrfToken: req.csrfToken() });.

This setup will help protect your application from CSRF attacks by ensuring that requests include a valid CSRF token.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-check-csurf-middleware-usage.

You can view more details about this finding in the Semgrep AppSec Platform.

const port = 3000;

// Fake data for the activity feed
const activityFeed = [
{
id: 1000,
title: 'New Photo Uploaded',
body: 'Alice uploaded a new photo to her album.'
},
{
id: 2000,
title: 'Comment on Post',
body: "Bob commented on Charlie's post."
},
{
id: 13,
title: 'Status Update',
body: 'Charlie updated their status: "Excited about the new project!"'
}
];

app.get('/feed', (req, res) => {
res.json(activityFeed);
});

app.listen(port, () => {
console.log(`Server running on port ${port}`);
});
Loading