Rendering of resources resolved from external name or reference detected.
- Rule ID: javascript_express_external_resource
- Languages: javascript
- Source: external_resource.yml
Description
Using raw unsanitized input when rendering resources is bad practice.
Remediations
❌ Avoid passing user or request input to res.render().
✅ Sanitize the input or use a safelist
Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.
var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
return res.render(`${path}/success`)
}
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_express_external_resource
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_express_external_resource
Ready to take the next step? Learn more about Bearer Cloud.