rspec/rules/S5693/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

https://www.npmjs.com/package/formidable[formidable] file upload module:

----
const form = new Formidable(); 
form.maxFileSize = 10000000; // Sensitive: 10MB is more than the recommended limit of 8MB 

const formDefault = new Formidable(); // Sensitive, the default value is 200MB
----

https://www.npmjs.com/package/multer[multer] (Express.js middleware) file upload module:

----
let diskUpload = multer({
  storage: diskStorage,
  limits: { 
    fileSize: 10000000; // Sensitive: 10MB is more than the recommended limit of 8MB
  }
});

let diskUploadUnlimited = multer({ // Sensitive: the default value is no limit
  storage: diskStorage, 
});
----

https://www.npmjs.com/package/body-parser[body-parser] module:

----
// 4MB is more than the recommended limit of 2MB for non-file-upload requests
let jsonParser = bodyParser.json({ limit: "4mb" }); // Sensitive
let urlencodedParser = bodyParser.urlencoded({ extended: false, limit: "4mb" }); // Sensitive
----

== Compliant Solution

https://www.npmjs.com/package/formidable[formidable] file upload module:

[source,javascript]
----
const form = new Formidable();
form.maxFileSize = 8000000; // Compliant: 8MB
----

https://www.npmjs.com/package/multer[multer] (Express.js middleware) file upload module:

[source,javascript]
----
let diskUpload = multer({
  storage: diskStorage,
  limits: { 
     fileSize: 8000000 // Compliant: 8MB
  }
});
----

https://www.npmjs.com/package/body-parser[body-parser] module:

[source,javascript]
----
let jsonParser = bodyParser.json(); // Compliant, when the limit is not defined, the default value is set to 100kb
let urlencodedParser = bodyParser.urlencoded({ extended: false, limit: "2mb" }); // Compliant
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../parameters.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]