rspec/rules/S5334/javascript/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

In a MongoDB context, https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection[arbitrary Javascript code] can be executed with the `+$where+` operator for instance:

----
let username = req.query.username;
query = { $where: `this.username == '${username}'` }
User.find(query, function (err, users) {
  if (err) {
    // Handle errors
  } else {
    res.render('userlookup', { title: 'User Lookup', users: users });
  }
});
----

== Compliant Solution

In a MongoDB context, don't use `+$where+` operator or validate the data:

----
let username = req.query.username;
query = { username: username }
User.find(query, function (err, users) {
  if (err) {
    // Handle errors
  } else {
    res.render('userlookup', { title: 'User Lookup', users: users });
  }
});
----

include::../see.adoc[]
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			In a MongoDB context, https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection[arbitrary Javascript code] can be executed with the `+$where+` operator for instance:

			`----`
			`let username = req.query.username;`
			query = { $where: `this.username == '${username}'` }
			`User.find(query, function (err, users) {`
			`if (err) {`
			`// Handle errors`
			`} else {`
			`res.render('userlookup', { title: 'User Lookup', users: users });`
			`}`
			`});`
			`----`

			`== Compliant Solution`

			In a MongoDB context, don't use `+$where+` operator or validate the data:

			`----`
			`let username = req.query.username;`
			`query = { username: username }`
			`User.find(query, function (err, users) {`
			`if (err) {`
			`// Handle errors`
			`} else {`
			`res.render('userlookup', { title: 'User Lookup', users: users });`
			`}`
			`});`
			`----`

			`include::../see.adoc[]`