Unsanitized user input in resource rendering

• Rule ID: javascript_express_external_resource
• Languages: javascript
• Source: external_resource.yml

Description

Using raw unsanitized input when rendering resources is bad practice.

Remediations

❌ Avoid passing user or request input to res.render().

✅ Sanitize the input or use a safelist

Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.

var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
  return res.render(`${path}/success`)
}

Associated CWE

• CWE-706: Use of Incorrectly-Resolved Name or Reference

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_external_resource

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_external_resource