== Why is this an issue?

When loading modules dynamically, malicious user input could find its way to the parameter specifying the module path and name. This could allow an attacker to load and run arbitrary code, or access arbitrary files.


This rule raises an issue for each use of dynamic module loading.

=== Noncompliant code example

[source,javascript]
----
const mod = require(modPath);
----

=== Compliant solution

[source,javascript]
----
const mod = require('path/module');
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Remove this use of dynamic module loading.


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]