Improper input validation can enable attacks and lead to unwanted behavior. Parts of the system may receive unintended input, which could result in altered control flow, arbitrary control of a resource, or arbitrary code execution.
1var express = require('express')
2var app = express()
3
4function improperInputValidationNoncompliant() {
5 app.get('/data/collection', function (request, response) {
6 // Noncompliant: user input is not sanitized before use.
7 var regex = RegExp(request.params.collection)
8 regex.test(request.params.collection)
9 })
10}
1var express = require('express')
2var app = express()
3var escapeStringRegexp = require('escape-string-regexp')
4
5function improperInputValidationCompliant() {
6 app.get('/data/collection', (request, response) => {
7 // Compliant: user input is sanitized before use.
8 var regex = RegExp(escapeStringRegexp(request.params.collection))
9 regex.test(request.params.collection)
10 })
11}