64 - Sink Javascript Axios

64 - Sink Javascript Axios



Links



https://github.com/axios/axios

Description



The Axios module allows you to do ajax calls with more comfort than the built-in modules.

Calling the .get, .post or other functions with user controlled data leads to a
'Server Side Request Forgery' security vulnerability.

Right



The URL is built up with a standard URL object. More code, but this pattern gives more safety.

const axios = require('axios');

const url = new URL("https://www.example.moc/");

url.searchParams.append("city"    , "Amsterdam");
url.searchParams.append("location", saster_user_contolled);

axios.get(url.href)
  .then(function (response) {
    console.log(response);
  });



Wrong



const axios = require('axios');

axios.get(saster_user_contolled)
  .then(function (response) {
    console.log(response);
  });