Avoid module loading using a variable
One Paragraph Explainer
Avoid requiring/importing another file with a path that was given as parameter due to the concern that it could have originated from user input. This rule can be extended for accessing files in general (i.e. fs.readFile()
) or other sensitive resources with dynamic variables originating from user input.
Code example
// insecure, as helperPath variable may have been modified by user input
const badWayToRequireUploadHelpers = require(helperPath);
// secure
const uploadHelpers = require('./helpers/upload');
当前内容版权归 goldbergyoni 或其关联方所有,如需对内容或内容相关联开源项目进行关注与资助,请访问 goldbergyoni .