You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We should report on usages of errorhandler middleware in production environment.
const errorhandler = require('errorhandler');
if (process.env.NODE_ENV === 'development') {
// only use in development
app.use(errorhandler()); // Compliant
}
app2.use(errorhandler()); // Noncompliant
Simple way to do it is to raise when errorhandler is used outside of any if statement.
A more sophisticated logic could be in addition to check that condition expression involves process.env.NODE_ENV.
The text was updated successfully, but these errors were encountered:
vilchik-elena
changed the title
Deprecate S1442 and S1525 in favor of S4507
Rule S4507: Delivering code in production with debug features activated is security-sensitive (deprecate S1442 and S1525)
Mar 18, 2020
vilchik-elena
changed the title
Rule S4507: Delivering code in production with debug features activated is security-sensitive (deprecate S1442 and S1525)
Rule S4507: Delivering code in production with debug features activated is security-sensitive (deprecates S1442 and S1525)
Mar 18, 2020
New rule to implement RSPEC-4507
Since it's implemented, rules S1442 (#1078) and S1525 (#1418) should be deprecated (#1182)
Code examples:
https://github.com/SonarSource/security-expected-issues/tree/master/javascript/rules/hotspots/RSPEC-4507
We should report on usages of
errorhandler
middleware in production environment.Simple way to do it is to raise when
errorhandler
is used outside of anyif
statement.A more sophisticated logic could be in addition to check that condition expression involves
process.env.NODE_ENV
.The text was updated successfully, but these errors were encountered: