ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5147/javascript/rule.adoc

43 lines
1012 B
Plaintext
Raw Blame History

include::../description.adoc[]
== Noncompliant Code Example
When url query parameters are parsed by the https://www.npmjs.com/package/qs[qs] module for instance (it's the case by default with express.js framework) then it's possible to inject objects in the URL:
----
function (req, res) {
let query = { user: req.query.user, city: req.query.city };
db.collection("users")
.find(query) // Noncompliant: http://website/?user=admin&city[%24ne]=
.toArray((err, docs) => { });
}
----
== Compliant Solution
Make sure to validate the input types to only handle Strings:
----
function (req, res) {
let query = { user: req.query.user.toString(), city: req.query.city.toString() };
db.collection("users")
.find(query) // Compliant
.toArray((err, docs) => { });
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink