rspec/rules/S4423/javascript/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

``++secureProtocol++``, ``++minVersion++``/``++maxVersion++`` and ``++secureOptions++`` should not be set to use weak TLS protocols (TLSv1.1 and lower):

----
let options = {
  secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure
};

let options = {
  minVersion: 'TLSv1.1',  // Noncompliant: TLS1.1 is insecure
  maxVersion: 'TLSv1.2' 
};

let options = {
  secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
}; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled
----

https://nodejs.org/api/https.html[https] built-in module:

----
let req = https.request(options, (res) => {
  res.on('data', (d) => {
    process.stdout.write(d);
  });
});  // Noncompliant
----

https://nodejs.org/api/tls.html[tls] built-in module:

----
let socket = tls.connect(443, "www.example.com", options, () => { });  // Noncompliant
----

https://www.npmjs.com/package/request[request] module:

----
let socket = request.get(options);
----

== Compliant Solution

Set either ``++secureProtocol++`` or ``++secureOptions++`` or ``++minVersion++`` to use secure protocols only (TLSv1.2 and higher):

----
let options = {
  secureProtocol: 'TLSv1_2_method'
};
// or
let options = {
  secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
};
// or
let options = {
    minVersion: 'TLSv1.2'
};
----

https://nodejs.org/api/https.html[https] built-in module:

----
let req = https.request(options, (res) => {
  res.on('data', (d) => {
    process.stdout.write(d);
  });
});  // Compliant
----


https://nodejs.org/api/tls.html[tls] built-in module:

----
let socket = tls.connect(443, "www.example.com", options, () => { }); 
----

https://www.npmjs.com/package/request[request] module:

----
let socket = request.get(options);
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			``++secureProtocol++``, ``++minVersion++``/``++maxVersion++`` and ``++secureOptions++`` should not be set to use weak TLS protocols (TLSv1.1 and lower):
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`let options = {`
			`secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure`
			`};`

Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`let options = {`
			`minVersion: 'TLSv1.1', // Noncompliant: TLS1.1 is insecure`
			`maxVersion: 'TLSv1.2'`
			`};`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`let options = {`
			`secureOptions: constants.SSL_OP_NO_SSLv2 \| constants.SSL_OP_NO_SSLv3 \| constants.SSL_OP_NO_TLSv1`
			`}; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled`
			`----`

			`https://nodejs.org/api/https.html[https] built-in module:`

			`----`
			`let req = https.request(options, (res) => {`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`res.on('data', (d) => {`
			`process.stdout.write(d);`
			`});`
			`}); // Noncompliant`
			`----`

			`https://nodejs.org/api/tls.html[tls] built-in module:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`let socket = tls.connect(443, "www.example.com", options, () => { }); // Noncompliant`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`

			`https://www.npmjs.com/package/request[request] module:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`let socket = request.get(options);`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`

			`== Compliant Solution`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			Set either ``++secureProtocol++`` or ``++secureOptions++`` or ``++minVersion++`` to use secure protocols only (TLSv1.2 and higher):
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`let options = {`
			`secureProtocol: 'TLSv1_2_method'`
			`};`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`// or`
			`let options = {`
			`secureOptions: constants.SSL_OP_NO_SSLv2 \| constants.SSL_OP_NO_SSLv3 \| constants.SSL_OP_NO_TLSv1 \| constants.SSL_OP_NO_TLSv1_1`
			`};`
			`// or`
			`let options = {`
			`minVersion: 'TLSv1.2'`
			`};`
			`----`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`https://nodejs.org/api/https.html[https] built-in module:`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`----`
			`let req = https.request(options, (res) => {`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`res.on('data', (d) => {`
			`process.stdout.write(d);`
			`});`
			`}); // Compliant`
			`----`


			`https://nodejs.org/api/tls.html[tls] built-in module:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`let socket = tls.connect(443, "www.example.com", options, () => { });`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`

			`https://www.npmjs.com/package/request[request] module:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`let socket = request.get(options);`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`