关于SonarCloud检查到了Vulnerability
Server-side requests should not be vulnerable to forging attacks
User supplied(提供) data, such as URL parameters, POST data payloads(荷载), or cookies, should always be considered untrusted and tainted(受污染的). Performing(履行的) requests from user-controlled data could allow attackers to make arbitrary(任意的) requests on the internal network or to change their original meaning and thus(因此) to retrieve(找回) or delete sensitive information.
The problem could be mitigated(减轻) in any of the following ways:
- Validate the user provided data, such as the URL and headers, used to construct the request.
- Redesign the application to not send requests based on user provided data.
Noncompliant Code Example
const request = require('request');
function ssrf(req, res) {
const url = req.query.url;
request(url, callback); // Noncompliant
}
Compliant(应允的) Solution
Validate the url with an allowlist:
const request = require('request');
function ssrf(req, res) {
const url = req.query.url;
if(url.startsWith("https://www.trustedwebsite.com/route/?query=")) {
request(url, callback); // Compliant
}
}
今天回过头来编辑这个错误,因为没有解决,所以我是在后端把restful Api形式改掉了. 什么是restful api呢? http://www.ruanyifeng.com/blog/2014/05/restful_api.html