Usage of externally controlled input to select code
- Rule ID: javascript_lang_import_using_user_input
- Languages: javascript
- Source: import_using_user_input.yml
Description
Loading code dynamically from a path formed from user input can allow an attacker to execute arbitrary code.
Remediations
❌ Avoid passing user or request input to require().
✅ Where it is unavoidable to rely on user input, sanitize the input or use a safelist
var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
require(`${path}.js`)
}
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_lang_import_using_user_input
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_lang_import_using_user_input