8f7349a0af
* RSPEC-S5147 Java * Update rules/S5147/java/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S5147/java/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S5147/description.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S5147/description.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S5147/description.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S5147/description.adoc * applied some recommendations * improved code * message * removed vuln odm * split a sentence into multiple files * removed pléonasmes * Update rules/S5147/java/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S5147/java/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * applied recommendations * Update rules/S5147/php/rule.adoc Co-authored-by: Marco Antognini <89914223+marco-antognini-sonarsource@users.noreply.github.com> * Update rules/S5147/java/rule.adoc * Update rules/S5147/java/rule.adoc * Update rules/S5147/java/rule.adoc * Update rules/S5147/java/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Marco Antognini <89914223+marco-antognini-sonarsource@users.noreply.github.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com>
48 lines
1.2 KiB
Plaintext
48 lines
1.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
//Mitigation precision for Javascript
|
|
Since Javascript allows different types of HTTP parameters, the problem could
|
|
be mitigated by ensuring that the type of the input is a String or by
|
|
sanitizing the user-provided data.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
When url query parameters are parsed by the https://www.npmjs.com/package/qs[qs] module for instance (it's the case by default with express.js framework) then it's possible to inject objects in the URL:
|
|
|
|
----
|
|
function (req, res) {
|
|
let query = { user: req.query.user, city: req.query.city };
|
|
|
|
db.collection("users")
|
|
.find(query) // Noncompliant: http://website/?user=admin&city[%24ne]=
|
|
.toArray((err, docs) => { });
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Make sure to validate the input types to only handle Strings:
|
|
|
|
----
|
|
function (req, res) {
|
|
let query = { user: req.query.user.toString(), city: req.query.city.toString() };
|
|
|
|
db.collection("users")
|
|
.find(query) // Compliant
|
|
.toArray((err, docs) => { });
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|