File tree Expand file tree Collapse file tree 2 files changed +35
-0
lines changed
javascript/ql/src/experimental/Security/CWE-918 Expand file tree Collapse file tree 2 files changed +35
-0
lines changed Original file line number Diff line number Diff line change 1+ const axios = require ( 'axios' ) ;
2+
3+ export const handler = async ( req , res , next ) => {
4+ const { target } = req . body ;
5+
6+ try {
7+ // BAD: `target` is controlled by the attacker
8+ const response = await axios . get ( 'https://example.com/current_api/' + target ) ;
9+
10+ // process request response
11+ use ( response ) ;
12+ } catch ( err ) {
13+ // process error
14+ }
15+ } ;
Original file line number Diff line number Diff line change 1+ const axios = require ( 'axios' ) ;
2+ const validator = require ( 'validator' ) ;
3+
4+ export const handler = async ( req , res , next ) => {
5+ const { target } = req . body ;
6+
7+ if ( ! validator . isAlphanumeric ( target ) ) {
8+ return next ( new Error ( 'Bad request' ) ) ;
9+ }
10+
11+ try {
12+ // `target` is validated
13+ const response = await axios . get ( 'https://example.com/current_api/' + target ) ;
14+
15+ // process request response
16+ use ( response ) ;
17+ } catch ( err ) {
18+ // process error
19+ }
20+ } ;
You can’t perform that action at this time.
0 commit comments