2020-06-30 12:49:37 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
// === Built-in NodeJS modules ===
|
|
|
|
|
const http = require('http');
|
|
|
|
|
http.request(url, (res) => {}); // Sensitive
|
|
|
|
|
http.get(url, (res) => {}); // Sensitive
|
|
|
|
|
|
|
|
|
|
const https = require('https');
|
|
|
|
|
https.request(url, (res) => {}); // Sensitive
|
|
|
|
|
https.get(url, (res) => {}); // Sensitive
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
// === Request NodeJS module ===
|
|
|
|
|
const request = require('request');
|
|
|
|
|
// All Request methods making HTTP requests are security-sensitive and should be reviewed.
|
|
|
|
|
// Examples:
|
|
|
|
|
request(url, function (error, res, body) {}); // Sensitive
|
|
|
|
|
request.get(url); // Sensitive
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
// === Axios module ===
|
|
|
|
|
const axios = require('axios');
|
|
|
|
|
// All Axios methods making HTTP requests are security-sensitive and should be reviewed.
|
|
|
|
|
// Example:
|
|
|
|
|
axios.get(url) // Sensitive
|
|
|
|
|
.then(function (res) {});
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
// === In browser, XMLHttpRequest ===
|
|
|
|
|
var xmlhttp = null;
|
|
|
|
|
if (window.XMLHttpRequest) {
|
|
|
|
|
xmlhttp = new XMLHttpRequest(); // modern browsers
|
|
|
|
|
} else {
|
|
|
|
|
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); // very old IE browsers
|
|
|
|
|
}
|
|
|
|
|
xmlhttp.onreadystatechange = function() {};
|
|
|
|
|
xmlhttp.open("GET", url, false); // Sensitive
|
|
|
|
|
xmlhttp.send();
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
// === In modern browsers, Fetch API ===
|
|
|
|
|
window.fetch(url) // Sensitive
|
|
|
|
|
.then(function(res) {});
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
// === In old IE browsers, XDomainRequest ===
|
|
|
|
|
var xdr = new XDomainRequest();
|
|
|
|
|
xdr.open("GET", url);
|
|
|
|
|
xdr.send();
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
// === In browser, jQuery ===
|
|
|
|
|
// All jQuery methods making HTTP requests are security-sensitive and should be reviewed.
|
|
|
|
|
// Examples:
|
|
|
|
|
$.ajax({ url: url }) // Sensitive
|
|
|
|
|
.done(function(data) {});
|
|
|
|
|
$.get(url, function(data) {}); // Sensitive
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== Message
|
|
|
|
|
|
|
|
|
|
Make sure that this HTTP request is sent safely.
|
|
|
|
|
|
2021-09-20 15:38:42 +02:00
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== on 9 Dec 2018, 16:04:48 Lars Svensson wrote:
|
|
|
|
|
https://nodejs.org/api/http.html
|
|
|
|
|
|
|
|
|
|
https://nodejs.org/api/https.html
|
|
|
|
|
|
|
|
|
|
https://www.npmjs.com/package/request - most popular HTTP request module, with 14.7M downloads/week.
|
|
|
|
|
|
|
|
|
|
https://www.npmjs.com/package/axios - another popular library for both client and server side.
|
|
|
|
|
|
|
|
|
|
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
|
|
|
|
|
|
|
|
|
|
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
|
|
|
|
|
|
|
|
|
|
https://api.jquery.com/category/ajax/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
