ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5144/javascript/rule.adoc
Fred Tingaud b4161466e6
RULEAPI-661: Add syntax coloring
2022-02-04 16:28:24 +00:00

48 lines
846 B
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

include::../description.adoc[]
== Noncompliant Code Example
[source,javascript]
----
const request = require('request');
function ssrf(req, res) {
  const url = req.query.url;
  request(url, callback); // Noncompliant
}
----
== Compliant Solution
Validate the url with an allowlist:
[source,javascript]
----
const request = require('request'); 
function ssrf(req, res) {
const white_list = [ "www.example.com", "example.com" ]
const url = (new URL(req.query.url));
const remote_hostname = url.hostname;
if (white_list.includes(remote_hostname)) {
    request(url, callback);
  }
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink