rspec/rules/S2077/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
// === MySQL ===
const mysql = require('mysql');
const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });
mycon.connect(function(err) {
  mycon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive
});

// === PostgreSQL ===
const pg = require('pg');
const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });
pgcon.connect();
pgcon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive
----

== Compliant Solution

----
// === MySQL ===
const mysql = require('mysql');
const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });
mycon.connect(function(err) {
  mycon.query('SELECT name FROM users WHERE id = ?', [userinput], (err, res) => {});
});

// === PostgreSQL ===
const pg = require('pg');
const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });
pgcon.connect();
pgcon.query('SELECT name FROM users WHERE id = $1', [userinput], (err, res) => {});
----

== Exceptions

This rule's current implementation does not follow variables. It will only detect SQL queries which are formatted directly in the function call.

----
const sql = 'SELECT * FROM users WHERE id = ' + userinput;
mycon.query(sql, (err, res) => {}); // Sensitive but no issue is raised.
----

include::../see.adoc[]
move coveredLangauges and replacementRules into extra field 2021-02-16 17:52:17 +01:00			`include::../description.adoc[]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`// === MySQL ===`
			`const mysql = require('mysql');`
			`const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });`
			`mycon.connect(function(err) {`
			`mycon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive`
			`});`

			`// === PostgreSQL ===`
			`const pg = require('pg');`
			`const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });`
			`pgcon.connect();`
			`pgcon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive`
			`----`

			`== Compliant Solution`

			`----`
			`// === MySQL ===`
			`const mysql = require('mysql');`
			`const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });`
			`mycon.connect(function(err) {`
			`mycon.query('SELECT name FROM users WHERE id = ?', [userinput], (err, res) => {});`
			`});`

			`// === PostgreSQL ===`
			`const pg = require('pg');`
			`const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });`
			`pgcon.connect();`
			`pgcon.query('SELECT name FROM users WHERE id = $1', [userinput], (err, res) => {});`
			`----`

			`== Exceptions`

			`This rule's current implementation does not follow variables. It will only detect SQL queries which are formatted directly in the function call.`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`const sql = 'SELECT * FROM users WHERE id = ' + userinput;`
			`mycon.query(sql, (err, res) => {}); // Sensitive but no issue is raised.`
			`----`

			`include::../see.adoc[]`