From df629c87e4b7b5408d32f1692ea8c93fb5ac8e4e Mon Sep 17 00:00:00 2001 From: John Maguire Date: Fri, 16 Oct 2020 07:35:37 -0400 Subject: [PATCH] Make regex to find cookie value more restrictive (#138) The Javascript library searches `document.cookie` to find the CSRF token value associated with the cookie named after the constant `CSRFP_TOKEN` (in practice, this is `csrfp_token`). However, the regex does not define what values may precede the token's name, meaning that a cookie such as `BNES_csrfp_token` (as was set by the Barracuda WAF) set on the same domain can be erroneously picked up instead of the correct `csrfp_token` value. This commit restricts the regex to only match if it is preceded by either the start of the string (i.e. nothing) or a semicolon followed by (a) any amount of whitespace, or (b) nothing, followed by the cookie's name. This allows it to match if it is the only/first cookie in `document.cookie` as well as if it follows another cookie in `document.cookie`. --- js/csrfprotector.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/js/csrfprotector.js b/js/csrfprotector.js index c092de2..ac58c55 100644 --- a/js/csrfprotector.js +++ b/js/csrfprotector.js @@ -44,7 +44,7 @@ var CSRFP = { * @return {String} auth key from cookie. */ _getAuthKey: function () { - var regex = new RegExp(`${CSRFP.CSRFP_TOKEN}=([^;]+)(;|$)`); + var regex = new RegExp(`(?:^|;\s*)${CSRFP.CSRFP_TOKEN}=([^;]+)(;|$)`); var regexResult = regex.exec(document.cookie); if (regexResult === null) { return null;