ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2076/javascript/how-to-fix-it/ssh2.adoc
Marco Borgeaud 95ce8c6119
Diff blocks: fix some incorrect use for javascript (#2802) 
Improvement identified in #2790.

Add a prefix to the diff-id when it is used multiple times in different
"how to fix it in XYZ" sections to avoid ambiguity and pedantically
follow the spec:

> A single and unique diff-id should be used only once for each type of
code example as shown in the description of a rule.

Obvious typos around `diff-type` were fixed.
2023-08-15 09:43:48 +02:00

78 lines
1.8 KiB
Plaintext
Raw Permalink Blame History

== How to fix it in SSH2
=== Code examples
include::../../common/fix/code-rationale.adoc[]
==== Noncompliant code example
[source,javascript,diff-id=11,diff-type=noncompliant]
----
const { Client } = require('ssh2')
const conn = new Client()
conn.on('ready', () => {
conn.exec(req.query.cmd, (err, stream) => {}) // Noncompliant
})
conn.connect({
host: 'example.org',
username: 'user',
password: 'password'
})
----
==== Compliant solution
[source,javascript,diff-id=11,diff-type=compliant]
----
const { Client } = require('ssh2')
const shell = require('shell-escape-tag')
const cmdId = parseInt(req.query.cmdId)
let host = req.query.host
host = typeof host === "string"? host : "example.org"
host = shell.escape(host)
const allowedCommands = ["/bin/ping -c 1 --", "/bin/host --"]
const cmd = `${allowedCommands[cmdId]} ${host}`
const conn = new Client()
conn.on('ready', () => {
conn.exec(cmd, (err, stream) => {})
})
conn.connect({
host: 'example.org',
username: 'user',
password: 'password'
})
----
=== How does this work?
include::../../common/fix/introduction.adoc[]
include::../../common/fix/pre-approved-list.adoc[]
In the example compliant code, a static list of trusted commands is used. Users are only allowed to
submit an index in this array in place of a full command name.
:sanitizationLib: shell-escape-tag
include::../../common/fix/sanitize-meta-characters.adoc[]
In the example compliant code, the `escape` function from the `shell-escape-tag` is used to properly
escape the user-supplied command argument. It can then safely be used in the
trusted command template.
=== Pitfalls
include::../common/pitfalls/loose-typing.adoc[]
In the above compliant code example, the `shell.escape` function has this
behavior. However, a type check has been introduced to prevent any unexpected
issue.
Reference in New Issue View Git Blame Copy Permalink