27 lines
613 B
Plaintext
27 lines
613 B
Plaintext
When loading modules dynamically, malicious user input could find its way to the parameter specifying the module path and name. This could allow an attacker to load and run arbitrary code, or access arbitrary files.
|
|
|
|
|
|
This rule raises an issue for each use of dynamic module loading.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
const mod = require(modPath);
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
const mod = require('path/module');
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|