Unsanitized dynamic input in file path

Description

The use of dynamic data with the file system module is bad security practice as it could allow attackers to access unauthorized or hidden files and folders.

Remediations

✅ Always ensure that dynamic data and function arguments are sanitized

❌ Do not pass dynamic data or function arguments directly to the fs module. Use hard-coded string literals and control logic instead

  function write(filename) {
switch(filename) {
case "hello.txt":
fs.writeCreateFile("hello.txt");
break;

case ...
}
}

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_non_literal_fs_filename

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_non_literal_fs_filename