Rendering of resources resolved from external name or reference detected.

• Rule ID: javascript_express_external_resource
• Languages: javascript
• Source: external_resource.yml

Description

Using raw unsanitized input when rendering resources is bad practice.

Remediations

❌ Avoid passing user or request input to res.render() or require().

✅ Sanitize the input or use a safelist

Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.

var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
  return res.render(`${path}/success`)
}

Associated CWE

• CWE-706: Use of Incorrectly-Resolved Name or Reference

OWASP Top 10

• A01:2021 - Broken Access Control