Usage of externally controlled input to select code

Overview

• Rule ID: javascript_lang_import_using_user_input

• Applicable Languages: Javascript

• Weakness ID: CWE-470

Description

Loading code dynamically based on a path specified by user input can enable attackers to run arbitrary code on your system.

Remediation Guidelines

• Do not pass user or request input directly to the require() function. This can introduce significant security vulnerabilities.

• Sanitize user input if it is necessary to dynamically load code. Ensure that the input is thoroughly checked and cleaned to avoid processing malicious data.

• Adopt a safelist approach when dynamically loading code based on user input. Confirm that the input matches a predefined list of safe values before proceeding.

  Copy

  var path = req.body.path;
  if (['users', 'posts', 'pages'].includes(path)) {
    require(`${path}.js`);
  }
  

References

• CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL