rspec/rules/S7044/javascript/how-to-fix-it/node.adoc

== How to fix it in Node.js

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
const axios = require('axios');
const express = require('express');

const app = express();

app.get('/example', async (req, res) => {
    const id = req.query.id;

    try {
        await axios.get(`https://example.com/user/{id}`); // Noncompliant
        res.send("OK");
    } catch (err) {
        console.error(err);
        res.send("ERROR");
    }
})
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
const axios = require('axios');
const express = require('express');

const app = express();

app.get('/example', async (req, res) => {
    const id = EncodeURIComponent(req.query.id);

    try {
        await axios.get(`https://example.com/user/?id={id}`);
        res.send("OK");
    } catch (err) {
        console.error(err);
        res.send("ERROR");
    }
})
----

=== How does this work?

include::../../common/fix/encoding.adoc[]

Note that https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI[`encodeURI()`] does not encode forward slashes and can therefore not prevent this vulnerabilty.
Create rule S7044(JS): Server-side requests should not be vulnerable to traversing attacks APPSEC-2042 (#4175) * Add javascript to rule S7044 * Added contents * Apply suggestions from code review * Update rules/S7044/javascript/how-to-fix-it/node.adoc * Update rules/S7044/javascript/how-to-fix-it/node.adoc Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> * Update rules/S7044/javascript/how-to-fix-it/node.adoc * Update rules/S7044/javascript/how-to-fix-it/node.adoc * Apply suggestions from code review --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> 2024-08-23 11:15:35 +02:00			`== How to fix it in Node.js`

			`=== Code examples`

			`include::../../common/fix/code-rationale.adoc[]`

			`==== Noncompliant code example`

			`[source,javascript,diff-id=1,diff-type=noncompliant]`
			`----`
			`const axios = require('axios');`
			`const express = require('express');`

			`const app = express();`

			`app.get('/example', async (req, res) => {`
			`const id = req.query.id;`

			`try {`
			await axios.get(`https://example.com/user/{id}`); // Noncompliant
			`res.send("OK");`
			`} catch (err) {`
			`console.error(err);`
			`res.send("ERROR");`
			`}`
			`})`
			`----`

			`==== Compliant solution`

			`[source,javascript,diff-id=1,diff-type=compliant]`
			`----`
			`const axios = require('axios');`
			`const express = require('express');`

			`const app = express();`

			`app.get('/example', async (req, res) => {`
			`const id = EncodeURIComponent(req.query.id);`

			`try {`
			await axios.get(`https://example.com/user/?id={id}`);
			`res.send("OK");`
			`} catch (err) {`
			`console.error(err);`
			`res.send("ERROR");`
			`}`
			`})`
			`----`

			`=== How does this work?`

			`include::../../common/fix/encoding.adoc[]`

			Note that https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI[`encodeURI()`] does not encode forward slashes and can therefore not prevent this vulnerabilty.