Usage of externally controlled input to select code

Description

Loading code dynamically from a path formed from user input can allow an attacker to execute arbitrary code.

Remediations

❌ Avoid passing user or request input to require().

✅ Where it is unavoidable to rely on user input, sanitize the input or use a safelist

var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
require(`${path}.js`)
}

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_import_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_import_using_user_input