rspec/rules/S2598/javascript/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

https://www.npmjs.com/package/formidable[formidable] module:
----
const Formidable = require('formidable');

const form = new Formidable(); // Noncompliant, this form is not safe
form.uploadDir = ""; // because upload dir is not defined (by default os temp dir: /var/tmp or /tmp)
form.keepExtensions = true; // and file extensions are kept
----

https://www.npmjs.com/package/multer[multer] (Express.js middleware) module:
----
const multer = require('multer');

let diskStorage = multer.diskStorage({ // Noncompliant: no destination specified
  filename: (req, file, cb) => {
    const buf = crypto.randomBytes(20);
    cb(null, buf.toString('hex'))
  }
});

// This upload is not safe as no destination specified, /var/tmp or /tmp will be used
let diskupload = multer({ 
  storage: diskStorage,
});
----

== Compliant Solution

https://www.npmjs.com/package/formidable[formidable] module:
----
const Formidable = require('formidable');

const form = new Formidable(); // Compliant
form.uploadDir = "./uploads/";
form.keepExtensions = false;
----

https://www.npmjs.com/package/multer[multer] (Express.js middleware) module:
----
const multer = require('multer');

let diskStorage = multer.diskStorage({  // Compliant
  filename: (req, file, cb) => {
    const buf = crypto.randomBytes(20);
    cb(null, buf.toString('hex'))
  },
  destination: (req, file, cb) => {
    cb(null, './uploads/')
  }
});

let diskupload = multer({
  storage: diskStorage,
});
----

include::../see.adoc[]
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`https://www.npmjs.com/package/formidable[formidable] module:`
			`----`
			`const Formidable = require('formidable');`

			`const form = new Formidable(); // Noncompliant, this form is not safe`
			`form.uploadDir = ""; // because upload dir is not defined (by default os temp dir: /var/tmp or /tmp)`
			`form.keepExtensions = true; // and file extensions are kept`
			`----`

			`https://www.npmjs.com/package/multer[multer] (Express.js middleware) module:`
			`----`
			`const multer = require('multer');`

			`let diskStorage = multer.diskStorage({ // Noncompliant: no destination specified`
			`filename: (req, file, cb) => {`
			`const buf = crypto.randomBytes(20);`
			`cb(null, buf.toString('hex'))`
			`}`
			`});`

			`// This upload is not safe as no destination specified, /var/tmp or /tmp will be used`
			`let diskupload = multer({`
			`storage: diskStorage,`
			`});`
			`----`

			`== Compliant Solution`

			`https://www.npmjs.com/package/formidable[formidable] module:`
			`----`
			`const Formidable = require('formidable');`

			`const form = new Formidable(); // Compliant`
			`form.uploadDir = "./uploads/";`
			`form.keepExtensions = false;`
			`----`

			`https://www.npmjs.com/package/multer[multer] (Express.js middleware) module:`
			`----`
			`const multer = require('multer');`

			`let diskStorage = multer.diskStorage({ // Compliant`
			`filename: (req, file, cb) => {`
			`const buf = crypto.randomBytes(20);`
			`cb(null, buf.toString('hex'))`
			`},`
			`destination: (req, file, cb) => {`
			`cb(null, './uploads/')`
			`}`
			`});`

			`let diskupload = multer({`
			`storage: diskStorage,`
			`});`
			`----`

			`include::../see.adoc[]`