ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4502/javascript/rule.adoc

35 lines
935 B
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
https://www.npmjs.com/package/csurf[Express.js CSURF middleware] protection is not found on an unsafe HTTP method like POST method:
----
let csrf = require('csurf');
let express = require('express');
let csrfProtection = csrf({ cookie: true });
let app = express();
// Sensitive: this operation doesn't look like protected by CSURF middleware (csrfProtection is not used)
app.post('/money_transfer', parseForm, function (req, res) {
res.send('Money transferred');
});
----
Protection provided by https://www.npmjs.com/package/csurf[Express.js CSURF middleware] is globally disabled on unsafe methods:
----
let csrf = require('csurf');
let express = require('express');
app.use(csrf({ cookie: true, ignoreMethods: ["POST", "GET"] })); // Sensitive as POST is unsafe method
----
include::../see.adoc[]
Reference in New Issue View Git Blame Copy Permalink