ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4830/javascript/rule.adoc
Arseniy Zaostrovnykh 716b335a56 Enable forced linebreaks in quotes; escape -- in url
2021-02-02 16:54:43 +01:00

96 lines
2.0 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
== Noncompliant Code Example
There is no way to disable certificate verification in tls, https and request modules but it is possible to not reject request when verification fails.
https://nodejs.org/api/https.html[https] built-in module:
----
let options = {
hostname: 'www.example.com',
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_2_method',
rejectUnauthorized: false ; // Noncompliant
};
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Noncompliant
----
https://nodejs.org/api/tls.html[tls] built-in module:
----
let options = {
secureProtocol: 'TLSv1_2_method',
rejectUnauthorized: false ; // Noncompliant
};
let socket = tls.connect(443, "www.example.com", options, () => {
process.stdin.pipe(socket);
process.stdin.resume();
}); // Noncompliant
----
https://www.npmjs.com/package/request[request] module:
----
let socket = request.get({
url: 'www.example.com',
secureProtocol: 'TLSv1_2_method',
rejectUnauthorized: false ; // Noncompliant
});
----
== Compliant Solution
https://nodejs.org/api/https.html[https] built-in module:
----
let options = {
hostname: 'www.example.com',
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_2_method'
};
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Compliant: by default rejectUnauthorized is set to true
----
https://nodejs.org/api/tls.html[tls] built-in module:
----
let options = {
secureProtocol: 'TLSv1_2_method'
};
let socket = tls.connect(443, "www.example.com", options, () => {
process.stdin.pipe(socket);
process.stdin.resume();
}); // Compliant: by default rejectUnauthorized is set to true
----
https://www.npmjs.com/package/request[request] module:
----
let socket = request.get({
url: 'https://www.example.com/',
secureProtocol: 'TLSv1_2_method' // Compliant
}); // Compliant: by default rejectUnauthorized is set to true
----
include::../see.adoc[]
Reference in New Issue View Git Blame Copy Permalink