Add Express.js and WebSocket security skills#664
Conversation
Fill framework and protocol gaps explicitly listed in the skills README.
Greptile SummaryThis PR adds two new security skill playbooks. The main changes are:
Confidence Score: 4/5The new skills are close, but two security-guidance paths need fixes before merging.
strix/skills/frameworks/express.md; strix/skills/protocols/websocket.md
|
| Filename | Overview |
|---|---|
| strix/skills/frameworks/express.md | Adds the Express.js skill; discovery conventions look correct, but the CSRF guidance should stop recommending deprecated csurf. |
| strix/skills/protocols/websocket.md | Adds the WebSocket skill; discovery conventions look correct, but the CSWSH guidance needs SameSite cookie nuance. |
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
strix/skills/frameworks/express.md:112
**Deprecated CSRF Middleware Recommendation**
This line names `csurf` as the Express CSRF control to look for, but that package is deprecated and unmaintained. A reviewer following this skill can tell teams to add an unsupported CSRF dependency instead of a maintained synchronizer-token or double-submit implementation, leaving the app on a mitigation path that will not receive fixes.
```suggestion
- `express-session` + cookie auth on POST/PUT/DELETE without a maintained synchronizer-token or double-submit CSRF implementation
```
### Issue 2 of 2
strix/skills/protocols/websocket.md:66-68
**SameSite CSWSH State Missing**
This CSWSH description assumes the victim browser sends cookies on a cross-site WebSocket handshake. With `SameSite=Lax` or `Strict`, modern browsers usually withhold those cookies for this handshake, so the listed PoC can become a false positive; SameSite still does not replace Origin validation for same-site subdomain or legacy-client cases.
Reviews (1): Last reviewed commit: "Add Express.js and WebSocket security sk..." | Re-trigger Greptile
| ### CSRF | ||
|
|
||
| Express has no built-in CSRF protection. | ||
| - `express-session` + cookie auth on POST/PUT/DELETE without `csurf` or double-submit token |
There was a problem hiding this comment.
Deprecated CSRF Middleware Recommendation
This line names csurf as the Express CSRF control to look for, but that package is deprecated and unmaintained. A reviewer following this skill can tell teams to add an unsupported CSRF dependency instead of a maintained synchronizer-token or double-submit implementation, leaving the app on a mitigation path that will not receive fixes.
| - `express-session` + cookie auth on POST/PUT/DELETE without `csurf` or double-submit token | |
| - `express-session` + cookie auth on POST/PUT/DELETE without a maintained synchronizer-token or double-submit CSRF implementation |
Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/skills/frameworks/express.md
Line: 112
Comment:
**Deprecated CSRF Middleware Recommendation**
This line names `csurf` as the Express CSRF control to look for, but that package is deprecated and unmaintained. A reviewer following this skill can tell teams to add an unsupported CSRF dependency instead of a maintained synchronizer-token or double-submit implementation, leaving the app on a mitigation path that will not receive fixes.
```suggestion
- `express-session` + cookie auth on POST/PUT/DELETE without a maintained synchronizer-token or double-submit CSRF implementation
```
How can I resolve this? If you propose a fix, please make it concise.Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
|
|
||
| Cross-Site WebSocket Hijacking: victim browser opens WS to target with victim's cookies because server doesn't validate `Origin`. | ||
|
|
There was a problem hiding this comment.
This CSWSH description assumes the victim browser sends cookies on a cross-site WebSocket handshake. With SameSite=Lax or Strict, modern browsers usually withhold those cookies for this handshake, so the listed PoC can become a false positive; SameSite still does not replace Origin validation for same-site subdomain or legacy-client cases.
Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/skills/protocols/websocket.md
Line: 66-68
Comment:
**SameSite CSWSH State Missing**
This CSWSH description assumes the victim browser sends cookies on a cross-site WebSocket handshake. With `SameSite=Lax` or `Strict`, modern browsers usually withhold those cookies for this handshake, so the listed PoC can become a false positive; SameSite still does not replace Origin validation for same-site subdomain or legacy-client cases.
How can I resolve this? If you propose a fix, please make it concise.- Replace deprecated csurf reference with maintained CSRF patterns - Add SameSite caveat for cross-site WebSocket hijacking tests
|
cc: @rajpratham1 |
Summary
Adds two skills explicitly listed in the skills README but missing from the repo:
frameworks/express— Express.js middleware ordering, router auth gaps, prototype pollution, NoSQL injection, CSRF, multer uploadsprotocols/websocket— Handshake auth, CSWSH/origin validation, subscription IDOR, Socket.io namespaces, GraphQL subscriptionsWhy these skills
strix/skills/README.md— the only framework from that list still missingVerification
Test plan