rspec/rules/S5334/javascript/how-to-fix-it/node.adoc

== How to fix it in Node.js

=== Code examples

The following code is vulnerable to arbitrary code execution because it dynamically
runs JavaScript code built from untrusted data.

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
function (req, res) {
    let operation = req.query.operation
    eval(`product_${operation}()`) // Noncompliant
    res.send("OK")
}
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
const allowed = ["add", "remove", "update"]

let operationId = req.query.operationId
const operation = allowed[operationId]
eval(`product_${operation}()`)
res.send("OK")
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/parameters.adoc[]

include::../../common/fix/allowlist.adoc[]

The example compliant code uses such a binding approach.