ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2598/javascript/how-to-fix-it/multer.adoc

51 lines
1.0 KiB
Plaintext
Raw Normal View History

Modify S2596(javascript): Convert to LayC (#2901) This PR also removes the java folder because it is not implemented and has no implementation plan. This PR was made spontaneously during Daniel's onboarding. --------- Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
2023-08-18 11:31:06 +02:00
== How to fix it in Multer
=== Code examples
==== Noncompliant code example
The following code sample is vulnerable because it implicitly uses `/tmp` or
`/var/tmp` as upload directory.
[source,javascript,diff-id=2,diff-type=noncompliant]
----
const crypto = require('node:crypto');
const multer = require('multer');
let diskStorage = multer.diskStorage({
filename: (req, file, cb) => {
const buf = crypto.randomBytes(20);
cb(null, buf.toString('hex'))
}
}); // Noncompliant
let diskUpload = multer({
storage: diskStorage,
});
----
==== Compliant code example
[source,javascript,diff-id=2,diff-type=compliant]
----
const multer = require('multer');
let diskStorage = multer.diskStorage({
filename: (req, file, cb) => {
const buf = crypto.randomBytes(20);
cb(null, buf.toString('hex'))
},
destination: (req, file, cb) => {
cb(null, '/uploads/')
}
});
let diskUpload = multer({
storage: diskStorage,
});
----
=== How does this work?
include::../../common/fix/allowed-folder.adoc[]
Reference in New Issue Copy Permalink