ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5527/javascript/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

129 lines
2.8 KiB
Plaintext
Raw Blame History

== Why is this an issue?
include::../description.adoc[]
=== Noncompliant code example
https://nodejs.org/api/https.html[https] built-in module:
[source,javascript]
----
let options = {
hostname: 'www.example.com',
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_2_method',
checkServerIdentity: function() {} // Noncompliant: hostname is not verified
};
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Noncompliant
----
https://nodejs.org/api/tls.html[tls] built-in module:
[source,javascript]
----
let options = {
secureProtocol: 'TLSv1_2_method',
checkServerIdentity: function() {} // Noncompliant: hostname is not verified
};
let socket = tls.connect(443, "www.example.com", options, () => {
process.stdin.pipe(socket);
process.stdin.resume();
}); // Noncompliant
----
https://www.npmjs.com/package/request[request] module:
[source,javascript]
----
let socket = request.get({
url: 'https://www.example.com',
secureProtocol: 'TLSv1_2_method',
checkServerIdentity: function() {} // Noncompliant: hostname is not verified
});
----
=== Compliant solution
https://nodejs.org/api/https.html[https] built-in module:
[source,javascript]
----
let options = {
hostname: 'www.example.com',
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_2_method'
};
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Compliant: default checkServerIdentity function is secure
----
https://nodejs.org/api/tls.html[tls] built-in module:
[source,javascript]
----
let options = {
secureProtocol: 'TLSv1_2_method',
checkServerIdentity: (servername, peer) => {
if (servername !== "www.example.com") {
return new Error ('Error'); // Compliant: there is at least one check
}
}
};
let socket = tls.connect(443, "www.example.com", options, () => {
process.stdin.pipe(socket);
process.stdin.resume();
}); // Compliant
----
https://www.npmjs.com/package/request[request] module:
[source,javascript]
----
let socket = request.get({
url: 'https://www.example.com/',
secureProtocol: 'TLSv1_2_method' // Compliant
}); // Compliant: default checkServerIdentity function is secure
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
=== Highlighting
When ``++https.request++``|``++request.get++``|``++tls.connect++`` is used:
* primary location: the call to ``++https.request/...++``
* secondary location: on ``++rejectUnauthorized: false++``
** message: 'Set "rejectUnauthorized" to "true".'
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink