ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5122/javascript/rule.adoc

117 lines
2.3 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
https://nodejs.org/api/http.html[nodejs http] built-in module:
[source,javascript]
----
const http = require('http');
const srv = http.createServer((req, res) => {
res.writeHead(200, { 'Access-Control-Allow-Origin': '*' }); // Sensitive
res.end('ok');
});
srv.listen(3000);
----
https://www.npmjs.com/package/express[Express.js] framework with https://www.npmjs.com/package/cors[cors middleware]:
[source,javascript]
----
const cors = require('cors');
let app1 = express();
app1.use(cors()); // Sensitive: by default origin is set to *
let corsOptions = {
origin: '*' // Sensitive
};
let app2 = express();
app2.use(cors(corsOptions));
----
User-controlled origin:
[source,javascript]
----
function (req, res) {
const origin = req.headers.origin;
res.setHeader('Access-Control-Allow-Origin', origin); // Sensitive
};
----
== Compliant Solution
https://nodejs.org/api/http.html[nodejs http] built-in module:
[source,javascript]
----
const http = require('http');
const srv = http.createServer((req, res) => {
res.writeHead(200, { 'Access-Control-Allow-Origin': 'trustedwebsite.com' }); // Compliant
res.end('ok');
});
srv.listen(3000);
----
https://www.npmjs.com/package/express[Express.js] framework with https://www.npmjs.com/package/cors[cors middleware]:
[source,javascript]
----
const cors = require('cors');
let corsOptions = {
origin: 'trustedwebsite.com' // Compliant
};
let app = express();
app.use(cors(corsOptions));
----
User-controlled origin validated with an allow-list:
[source,javascript]
----
function (req, res) {
const origin = req.headers.origin;
if (origin === 'trustedwebsite.com') {
res.setHeader('Access-Control-Allow-Origin', origin);
}
};
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 6 Jan 2019, 17:05:39 Lars Svensson wrote:
https://nodejs.org/api/http.html
https://nodejs.org/api/https.html
https://expressjs.com/en/4x/api.html
https://www.npmjs.com/package/cors
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink