Skip to content

Latest commit

 

History

History
15 lines (10 loc) · 621 Bytes

safemoduleloading.md

File metadata and controls

15 lines (10 loc) · 621 Bytes

Avoid module loading using a variable

One Paragraph Explainer

Avoid requiring/importing another file with a path that was given as parameter due to the concern that it could have originated from user input. This rule can be extended for accessing files in general (i.e. fs.readFile()) or other sensitive resources with dynamic variables originating from user input.

Code example

// insecure, as helperPath variable may have been modified by user input
const badWayToRequireUploadHelpers = require(helperPath);

// secure
const uploadHelpers = require('./helpers/upload');