Usage of externally controlled input to select code

Rule ID: javascript_lang_import_using_user_input
Languages: javascript
Source: <a class="text-main dark:text-main-300 hover:underline" href="https://github.com/bearer/bearer-rules/blob/main/rules/javascript/lang/import_using_user_input.yml">import_using_user_input.yml

Description

Loading code dynamically from a path dictated by user input can allow attackers to execute arbitrary code on your system.

Do not pass user or request input directly to the require() function. This practice can lead to severe security vulnerabilities.
Do sanitize user input if it must be used to dynamically load code. Ensure that the input is checked and cleaned to prevent malicious data from being processed.
Do use a safelist approach when relying on user input to load code dynamically. Verify that the input matches a predefined list of safe values before processing.
```
var path = req.body.path;
if (['users', 'posts', 'pages'].includes(path)) {
  require(`${path}.js`);
}
```

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_import_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_import_using_user_input