Sending HTTP requests is security-sensitive. It has led in the past to the following vulnerabilities:
An HTTP request has different kinds of vulnerabilities:
This rule flags code that initiates an HTTP request. The goal is to guide security code reviews.
You are at risk if you answered yes to any of those questions.
// === Built-in NodeJS modules ===
const http = require('http');
http.request(url, (res) => {}); // Questionable
http.get(url, (res) => {}); // Questionable
const https = require('https');
https.request(url, (res) => {}); // Questionable
https.get(url, (res) => {}); // Questionable
// === Request NodeJS module ===
const request = require('request');
// All Request methods making HTTP requests are security-sensitive and should be reviewed.
// Examples:
request(url, function (error, res, body) {}); // Questionable
request.get(url); // Questionable
// === Axios module ===
const axios = require('axios');
// All Axios methods making HTTP requests are security-sensitive and should be reviewed.
// Example:
axios.get(url) // Questionable
.then(function (res) {});
// === In browser, XMLHttpRequest ===
var xmlhttp = null;
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest(); // modern browsers
} else {
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); // very old IE browsers
}
xmlhttp.onreadystatechange = function() {};
xmlhttp.open("GET", url, false); // Questionable
xmlhttp.send();
// === In modern browsers, Fetch API ===
window.fetch(url) // Questionable
.then(function(res) {});
// === In old IE browsers, XDomainRequest ===
var xdr = new XDomainRequest();
xdr.open("GET", url);
xdr.send();
// === In browser, jQuery ===
// All jQuery methods making HTTP requests are security-sensitive and should be reviewed.
// Examples:
$.ajax({ url: url }) // Questionable
.done(function(data) {});
$.get(url, function(data) {}); // Questionable