ProductsBook A DemoContact Us

Usage of externally controlled input to select code

Overview

  • Rule ID: javascript_lang_import_using_user_input

  • Applicable Languages: Javascript

  • Weakness ID: CWE-470

Description

Loading code dynamically based on a path specified by user input can enable attackers to run arbitrary code on your system.

Remediation Guidelines

  • Do not pass user or request input directly to the require() function. This can introduce significant security vulnerabilities.

  • Sanitize user input if it is necessary to dynamically load code. Ensure that the input is thoroughly checked and cleaned to avoid processing malicious data.

  • Adopt a safelist approach when dynamically loading code based on user input. Confirm that the input matches a predefined list of safe values before proceeding.

    var path = req.body.path;
if (['users', 'posts', 'pages'].includes(path)) {
  require(`${path}.js`);
}

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUsage of Default Session Cookie ConfigurationNextUsage of hard-coded Passport Secret

Last updated