External control of filename or path detected.

Rule ID: javascript_express_external_file_upload
Languages: javascript
Source: external_file_upload.yml

Description

Passing unsanitized user input to the sendFile API is bad practice and can lead to path manipulation, by which attackers can gain access to resources and data outside of the intended scope.

Remediations

✅ Set the root option to be an absolute path to a directory

app.post("/upload", (req, res) => {
  var options = {
    root: path.join(__dirname, "upload")
  }
  res.sendFile(req.params.filename, options)
}

Resources

Express sendFile API reference

Associated CWE

CWE-73: External Control of File Name or Path

OWASP Top 10

A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_external_file_upload

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_external_file_upload

Ready to take the next step? Learn more about Bearer Cloud.