HTTP communication with user-controlled destination detected.
- Rule ID: javascript_lang_http_url_using_user_input
- Languages: javascript
- Source: http_url_using_user_input.yml
Description
Applications should not connect to locations formed from user input. This rule checks for URLs containing user-supplied data.
Remediations
❌ Avoid using user input in HTTP URLs:
const response = axios.get(`https://${req.params.host}`)
✅ Use user input indirectly to form a URL:
const hosts = new Map([
["option1", "api1.com"],
["option2", "api2.com"]
])
const host = hosts.get(req.params.host)
const response = axois.get(`https://${host}`)
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_lang_http_url_using_user_input
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_lang_http_url_using_user_input
Ready to take the next step? Learn more about Bearer Cloud.