Unsanitized dynamic input in file path

• Rule ID: javascript_lang_non_literal_fs_filename
• Languages: javascript
• Source: non_literal_fs_filename.yml

Description

Allowing unsanitized dynamic input in file paths can lead to unauthorized file and folder access. This vulnerability arises when dynamic data is used within the file system operations, potentially allowing attackers to access unauthorized or hidden files and folders.

Remediations

• Do sanitize all dynamic data and function arguments before using them in file system operations. This step is crucial to prevent unauthorized access.
• Do use a combination of hard-coded string literals and control logic, instead of directly passing dynamic data or function arguments to file system functions. This ensures safety.

  function write(filename) {
    switch(filename) {
      case "hello.txt":
        fs.writeCreateFile("hello.txt");
        break;
      // Add more cases as necessary
    }
  }

References

• OWASP path traversal

Associated CWE

• CWE-73: External Control of File Name or Path

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_non_literal_fs_filename

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_non_literal_fs_filename