Create rule S7044(JS): Server-side requests should not be vulnerable to traversing attacks APPSEC-2042 (#4175)

* Add javascript to rule S7044 * Added contents * Apply suggestions from code review * Update rules/S7044/javascript/how-to-fix-it/node.adoc * Update rules/S7044/javascript/how-to-fix-it/node.adoc Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> * Update rules/S7044/javascript/how-to-fix-it/node.adoc * Update rules/S7044/javascript/how-to-fix-it/node.adoc * Apply suggestions from code review --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
2024-08-23 11:15:35 +02:00 · 2024-08-23 11:15:35 +02:00 · dc516927c6
commit dc516927c6
parent 2ffd6bfed6
3 changed files with 71 additions and 0 deletions
--- a/rules/S7044/javascript/how-to-fix-it/node.adoc
+++ b/rules/S7044/javascript/how-to-fix-it/node.adoc
@ -0,0 +1,56 @@
+== How to fix it in Node.js
+
+=== Code examples
+
+include::../../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,javascript,diff-id=1,diff-type=noncompliant]
+----
+const axios = require('axios');
+const express = require('express');
+
+const app = express();
+
+app.get('/example', async (req, res) => {
+    const id = req.query.id;
+
+    try {
+        await axios.get(`https://example.com/user/{id}`); // Noncompliant
+        res.send("OK");
+    } catch (err) {
+        console.error(err);
+        res.send("ERROR");
+    }
+})
+----
+
+==== Compliant solution
+
+[source,javascript,diff-id=1,diff-type=compliant]
+----
+const axios = require('axios');
+const express = require('express');
+
+const app = express();
+
+app.get('/example', async (req, res) => {
+    const id = EncodeURIComponent(req.query.id);
+
+    try {
+        await axios.get(`https://example.com/user/?id={id}`);
+        res.send("OK");
+    } catch (err) {
+        console.error(err);
+        res.send("ERROR");
+    }
+})
+----
+
+=== How does this work?
+
+include::../../common/fix/encoding.adoc[]
+
+Note that https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI[`encodeURI()`] does not encode forward slashes and can therefore not prevent this vulnerabilty.
+
--- a/rules/S7044/javascript/metadata.json
+++ b/rules/S7044/javascript/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S7044/javascript/rule.adoc
+++ b/rules/S7044/javascript/rule.adoc
@ -0,0 +1,13 @@
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+// How to fix it section
+
+include::how-to-fix-it/node.adoc[]
+
+== Resources
+
+include::../common/resources/standards.adoc[]