rspec/rules/S2083/javascript/how-to-fix-it/express.adoc

== How to fix it in Express.js

=== Code examples

:code_impact: read

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
const path = require('path');

function (req, res) {
  const targetDirectory = "/data/app/resources/";
  const userFilename = path.join(targetDirectory, req.query.filename);

  res.sendFile(userFilename); // Noncompliant
}
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
const path = require('path');

function (req, res) {
  const targetDirectory = "/data/app/resources/";
  const userFilename = req.query.filename;

  res.sendFile(userFilename, { root: targetDirectory });
}
----

=== How does this work?

:auto_canonicalization_function: res.sendFile() (used with options.root)

include::../../common/fix/function-based-validation.adoc[]

include::../../common/fix/self-validation.adoc[]

=== Pitfalls

:joining_docs: https://nodejs.org/api/path.html#pathresolvepaths
:joining_func: path.resolve

include::../../common/pitfalls/path-joining.adoc[]
Add checks for education format (#1607) 2023-03-07 17:16:47 +01:00			`== How to fix it in Express.js`

			`=== Code examples`
Modify S2083(multiple languages): Update to the education framework (APPSEC-188) (#1328) 2022-10-24 10:50:44 +02:00
			`:code_impact: read`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Modify S2083(multiple languages): Update to the education framework (APPSEC-188) (#1328) 2022-10-24 10:50:44 +02:00			`include::../../common/fix/code-rationale.adoc[]`

			`==== Noncompliant code example`

			`[source,javascript,diff-id=1,diff-type=noncompliant]`
			`----`
			`const path = require('path');`

			`function (req, res) {`
Modify S2083(js): Fix code samples (#2811) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-08-07 16:18:28 +02:00			`const targetDirectory = "/data/app/resources/";`
Modify S2083(multiple languages): Update to the education framework (APPSEC-188) (#1328) 2022-10-24 10:50:44 +02:00			`const userFilename = path.join(targetDirectory, req.query.filename);`

			`res.sendFile(userFilename); // Noncompliant`
			`}`
			`----`

			`==== Compliant solution`

			`[source,javascript,diff-id=1,diff-type=compliant]`
			`----`
			`const path = require('path');`

			`function (req, res) {`
			`const targetDirectory = "/data/app/resources/";`
			`const userFilename = req.query.filename;`

			`res.sendFile(userFilename, { root: targetDirectory });`
			`}`
			`----`

			`=== How does this work?`

			`:auto_canonicalization_function: res.sendFile() (used with options.root)`

			`include::../../common/fix/function-based-validation.adoc[]`

			`include::../../common/fix/self-validation.adoc[]`
Modify rule S2083(mult. lang): Add absolute path joining pitfall (APPSEC-213) (#1370) 2022-11-08 10:13:52 +01:00
			`=== Pitfalls`

			`:joining_docs: https://nodejs.org/api/path.html#pathresolvepaths`
			`:joining_func: path.resolve`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Modify rule S2083(mult. lang): Add absolute path joining pitfall (APPSEC-213) (#1370) 2022-11-08 10:13:52 +01:00			`include::../../common/pitfalls/path-joining.adoc[]`