rspec/rules/S4423/javascript/how-to-fix-it/node-js.adoc

== How to fix it in Node.js

=== Code examples

==== Noncompliant code example

NodeJs offers multiple ways to set weak TLS protocols. For https and tls,
https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions[these options]
are used and are used in other third-party libraries as well.

The first is `secureProtocol`:

[source,javascript,diff-id=11,diff-type=noncompliant]
----
const https = require('node:https');
const tls   = require('node:tls');

let options = {
 secureProtocol: 'TLSv1_method' // Noncompliant
};

let req    = https.request(options, (res) => { });
let socket = tls.connect(443, "www.example.com", options, () => { });
----

The second is the combination of `minVersion` and `maxVerison`. Note that they
cannot be specified along with the `secureProtocol` option:

[source,javascript,diff-id=12,diff-type=noncompliant]
----
const https = require('node:https');
const tls   = require('node:tls');

let options = {
  minVersion: 'TLSv1.1',  // Noncompliant
  maxVersion: 'TLSv1.2'
};

let req    = https.request(options, (res) => { });
let socket = tls.connect(443, "www.example.com", options, () => { });
----

And `secureOptions`, which in this example instructs the OpenSSL protocol to
turn off some algorithms altogether. In general, this option might trigger side
effects and should be used carefully, if used at all.

[source,javascript,diff-id=13,diff-type=noncompliant]
----
const https     = require('node:https');
const tls       = require('node:tls');
const constants = require('node:crypto'):

let options = {
  secureOptions:
    constants.SSL_OP_NO_SSLv2
    | constants.SSL_OP_NO_SSLv3
    | constants.SSL_OP_NO_TLSv1
}; // Noncompliant

let req    = https.request(options, (res) => { });
let socket = tls.connect(443, "www.example.com", options, () => { });
----

==== Compliant solution

[source,javascript,diff-id=11,diff-type=compliant]
----
const https = require('node:https');
const tls   = require('node:tls');

let options = {
  secureProtocol: 'TLSv1_2_method'
};

let req    = https.request(options, (res) => { });
let socket = tls.connect(443, "www.example.com", options, () => { });
----

[source,javascript,diff-id=12,diff-type=compliant]
----
const https = require('node:https');
const tls   = require('node:tls');

let options = {
  minVersion: 'TLSv1.2',
  maxVersion: 'TLSv1.2'
};

let req    = https.request(options, (res) => { });
let socket = tls.connect(443, "www.example.com", options, () => { });

----

Here, the goal is to turn on only TLSv1.2 and higher, by turning off all lower
versions:

[source,javascript,diff-id=13,diff-type=compliant]
----
const https = require('node:https');
const tls   = require('node:tls');

let options = {
  secureOptions:
    constants.SSL_OP_NO_SSLv2
    | constants.SSL_OP_NO_SSLv3
    | constants.SSL_OP_NO_TLSv1
    | constants.SSL_OP_NO_TLSv1_1
};

let req    = https.request(options, (res) => { });
let socket = tls.connect(443, "www.example.com", options, () => { });
----

=== How does this work?

include::../../common/fix/fix.adoc[]
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`== How to fix it in Node.js`

			`=== Code examples`

			`==== Noncompliant code example`

			`NodeJs offers multiple ways to set weak TLS protocols. For https and tls,`
			`https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions[these options]`
			`are used and are used in other third-party libraries as well.`

			The first is `secureProtocol`:

Diff blocks: fix some incorrect use for javascript (#2802) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-15 09:43:48 +02:00			`[source,javascript,diff-id=11,diff-type=noncompliant]`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`----`
			`const https = require('node:https');`
			`const tls = require('node:tls');`

			`let options = {`
			`secureProtocol: 'TLSv1_method' // Noncompliant`
			`};`

			`let req = https.request(options, (res) => { });`
			`let socket = tls.connect(443, "www.example.com", options, () => { });`
			`----`

			The second is the combination of `minVersion` and `maxVerison`. Note that they
			cannot be specified along with the `secureProtocol` option:

Diff blocks: fix some incorrect use for javascript (#2802) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-15 09:43:48 +02:00			`[source,javascript,diff-id=12,diff-type=noncompliant]`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`----`
			`const https = require('node:https');`
			`const tls = require('node:tls');`

			`let options = {`
			`minVersion: 'TLSv1.1', // Noncompliant`
			`maxVersion: 'TLSv1.2'`
			`};`

			`let req = https.request(options, (res) => { });`
			`let socket = tls.connect(443, "www.example.com", options, () => { });`
			`----`

			And `secureOptions`, which in this example instructs the OpenSSL protocol to
			`turn off some algorithms altogether. In general, this option might trigger side`
			`effects and should be used carefully, if used at all.`

Diff blocks: fix some incorrect use for javascript (#2802) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-15 09:43:48 +02:00			`[source,javascript,diff-id=13,diff-type=noncompliant]`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`----`
			`const https = require('node:https');`
			`const tls = require('node:tls');`
			`const constants = require('node:crypto'):`

			`let options = {`
Diff blocks: fix some incorrect use for javascript (#2802) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-15 09:43:48 +02:00			`secureOptions:`
			`constants.SSL_OP_NO_SSLv2`
			`\| constants.SSL_OP_NO_SSLv3`
			`\| constants.SSL_OP_NO_TLSv1`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`}; // Noncompliant`

			`let req = https.request(options, (res) => { });`
			`let socket = tls.connect(443, "www.example.com", options, () => { });`
			`----`

			`==== Compliant solution`

Diff blocks: fix some incorrect use for javascript (#2802) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-15 09:43:48 +02:00			`[source,javascript,diff-id=11,diff-type=compliant]`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`----`
			`const https = require('node:https');`
			`const tls = require('node:tls');`

			`let options = {`
			`secureProtocol: 'TLSv1_2_method'`
			`};`

			`let req = https.request(options, (res) => { });`
			`let socket = tls.connect(443, "www.example.com", options, () => { });`
			`----`

Diff blocks: fix some incorrect use for javascript (#2802) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-15 09:43:48 +02:00			`[source,javascript,diff-id=12,diff-type=compliant]`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`----`
			`const https = require('node:https');`
			`const tls = require('node:tls');`

			`let options = {`
			`minVersion: 'TLSv1.2',`
			`maxVersion: 'TLSv1.2'`
			`};`

			`let req = https.request(options, (res) => { });`
			`let socket = tls.connect(443, "www.example.com", options, () => { });`

			`----`

			`Here, the goal is to turn on only TLSv1.2 and higher, by turning off all lower`
			`versions:`

Diff blocks: fix some incorrect use for javascript (#2802) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-15 09:43:48 +02:00			`[source,javascript,diff-id=13,diff-type=compliant]`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`----`
			`const https = require('node:https');`
			`const tls = require('node:tls');`

			`let options = {`
Diff blocks: fix some incorrect use for javascript (#2802) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-15 09:43:48 +02:00			`secureOptions:`
			`constants.SSL_OP_NO_SSLv2`
			`\| constants.SSL_OP_NO_SSLv3`
			`\| constants.SSL_OP_NO_TLSv1`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`\| constants.SSL_OP_NO_TLSv1_1`
			`};`

			`let req = https.request(options, (res) => { });`
			`let socket = tls.connect(443, "www.example.com", options, () => { });`
			`----`

			`=== How does this work?`

			`include::../../common/fix/fix.adoc[]`