rspec/rules/S5527/javascript/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

https://nodejs.org/api/https.html[https] built-in module:

[source,javascript]
----
let options = {
  hostname: 'www.example.com',
  port: 443,
  path: '/',
  method: 'GET',
  secureProtocol: 'TLSv1_2_method',
  checkServerIdentity: function() {} // Noncompliant: hostname is not verified
};

let req = https.request(options, (res) => {
  res.on('data', (d) => {
    process.stdout.write(d);
  });
}); // Noncompliant
----

https://nodejs.org/api/tls.html[tls] built-in module:

[source,javascript]
----
let options = {
    secureProtocol: 'TLSv1_2_method',
    checkServerIdentity: function() {}  // Noncompliant: hostname is not verified
};

let socket = tls.connect(443, "www.example.com", options, () => {
  process.stdin.pipe(socket);
  process.stdin.resume();
});  // Noncompliant
----

https://www.npmjs.com/package/request[request] module:

[source,javascript]
----
let socket = request.get({
    url: 'https://www.example.com',
    secureProtocol: 'TLSv1_2_method',
    checkServerIdentity: function() {}  // Noncompliant: hostname is not verified
});
----

=== Compliant solution

https://nodejs.org/api/https.html[https] built-in module:

[source,javascript]
----
let options = {
  hostname: 'www.example.com',
  port: 443,
  path: '/',
  method: 'GET',
  secureProtocol: 'TLSv1_2_method'
};

let req = https.request(options, (res) => {
  res.on('data', (d) => {
    process.stdout.write(d);
  });
}); // Compliant: default checkServerIdentity function is secure
----


https://nodejs.org/api/tls.html[tls] built-in module:

[source,javascript]
----
let options = {
    secureProtocol: 'TLSv1_2_method',
    checkServerIdentity: (servername, peer) => {
        if (servername !== "www.example.com") {
            return new Error ('Error');  // Compliant: there is at least one check 
        }
    }
};

let socket = tls.connect(443, "www.example.com", options, () => {
  process.stdin.pipe(socket);
  process.stdin.resume();
}); // Compliant
----

https://www.npmjs.com/package/request[request] module:

[source,javascript]
----
let socket = request.get({
    url: 'https://www.example.com/',
    secureProtocol: 'TLSv1_2_method' // Compliant
}); // Compliant:  default checkServerIdentity function is secure 
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

=== Highlighting

When ``++https.request++``|``++request.get++``|``++tls.connect++`` is used:

* primary location: the call to ``++https.request/...++``
* secondary location: on ``++rejectUnauthorized: false++``
** message: 'Set "rejectUnauthorized" to "true".'


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00
			`https://nodejs.org/api/https.html[https] built-in module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`let options = {`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`hostname: 'www.example.com',`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`port: 443,`
			`path: '/',`
			`method: 'GET',`
			`secureProtocol: 'TLSv1_2_method',`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`checkServerIdentity: function() {} // Noncompliant: hostname is not verified`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`};`

			`let req = https.request(options, (res) => {`
			`res.on('data', (d) => {`
			`process.stdout.write(d);`
			`});`
			`}); // Noncompliant`
			`----`

			`https://nodejs.org/api/tls.html[tls] built-in module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`let options = {`
			`secureProtocol: 'TLSv1_2_method',`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`checkServerIdentity: function() {} // Noncompliant: hostname is not verified`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`};`

			`let socket = tls.connect(443, "www.example.com", options, () => {`
			`process.stdin.pipe(socket);`
			`process.stdin.resume();`
			`}); // Noncompliant`
			`----`

			`https://www.npmjs.com/package/request[request] module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`let socket = request.get({`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`url: 'https://www.example.com',`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`secureProtocol: 'TLSv1_2_method',`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`checkServerIdentity: function() {} // Noncompliant: hostname is not verified`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`});`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00
			`https://nodejs.org/api/https.html[https] built-in module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`let options = {`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`hostname: 'www.example.com',`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`port: 443,`
			`path: '/',`
			`method: 'GET',`
			`secureProtocol: 'TLSv1_2_method'`
			`};`

			`let req = https.request(options, (res) => {`
			`res.on('data', (d) => {`
			`process.stdout.write(d);`
			`});`
			`}); // Compliant: default checkServerIdentity function is secure`
			`----`


			`https://nodejs.org/api/tls.html[tls] built-in module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`let options = {`
			`secureProtocol: 'TLSv1_2_method',`
			`checkServerIdentity: (servername, peer) => {`
			`if (servername !== "www.example.com") {`
			`return new Error ('Error'); // Compliant: there is at least one check`
			`}`
			`}`
			`};`

			`let socket = tls.connect(443, "www.example.com", options, () => {`
			`process.stdin.pipe(socket);`
			`process.stdin.resume();`
			`}); // Compliant`
			`----`

			`https://www.npmjs.com/package/request[request] module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`let socket = request.get({`
			`url: 'https://www.example.com/',`
			`secureProtocol: 'TLSv1_2_method' // Compliant`
			`}); // Compliant: default checkServerIdentity function is secure`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Highlighting`

			When ``++https.request++``\|``++request.get++``\|``++tls.connect++`` is used:

			* primary location: the call to ``++https.request/...++``
			* secondary location: on ``++rejectUnauthorized: false++``
			`** message: 'Set "rejectUnauthorized" to "true".'`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`