rspec/rules/S7044/javascript/how-to-fix-it/node.adoc

== How to fix it in Node.js

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
const axios = require('axios');
const express = require('express');

const app = express();

app.get('/example', async (req, res) => {
    const id = req.query.id;

    try {
        await axios.get(`https://example.com/user/{id}`); // Noncompliant
        res.send("OK");
    } catch (err) {
        console.error(err);
        res.send("ERROR");
    }
})
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
const axios = require('axios');
const express = require('express');

const app = express();

app.get('/example', async (req, res) => {
    const id = EncodeURIComponent(req.query.id);

    try {
        await axios.get(`https://example.com/user/?id={id}`);
        res.send("OK");
    } catch (err) {
        console.error(err);
        res.send("ERROR");
    }
})
----

=== How does this work?

include::../../common/fix/encoding.adoc[]

Note that https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI[`encodeURI()`] does not encode forward slashes and can therefore not prevent this vulnerabilty.