Loading of resource resolved from external name detected.
- Rule ID: javascript_lang_import_using_user_input
- Languages: javascript
- Source: import_using_user_input.yml
Description
Loading code dynamically from a path formed from user input can allow an attacker to execute arbitrary code.
Remediations
❌ Avoid passing user or request input to require().
✅ Where it is unavoidable to rely on user input, sanitize the input or use a safelist
var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
require(`${path}.js`)
}Associated CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
OWASP Top 10
Ready to take the next step? Join the Bearer Cloud waitlist.