Avoid variables in 'fs' calls filename argument This product is not supported for your selected
Datadog site . (
).
TRY THIS RULE ID: javascript-node-security/detect-non-literal-fs-filename
Language: JavaScript
Severity: Warning
Category: Security
Description An attacker could manipulate the file system call argument, leading to a path traversal attack. In this case, the attacker can get access to files and directories within your server file system.
Non-Compliant Code Examples /// requires
var something = require ( 'fs' );
var a = something . open ( c );
var one = require ( 'fs' ). readFile ;
one ( filename );
var one = require ( 'node:fs' ). readFile ;
one ( filename );
var one = require ( 'fs/promises' ). readFile ;
one ( filename );
var something = require ( 'fs/promises' );
something . readFile ( filename );
var something = require ( 'node:fs/promises' );
something . readFile ( filename );
var something = require ( 'fs-extra' );
something . readFile ( filename );
var { readFile : something } = require ( 'fs' );
something ( filename )
//// imports
import { readFile as something } from 'fs' ;
something ( filename );
import { readFile as something } from 'node:fs' ;
something ( filename );
import { readFile as something } from 'fs-extra' ;
something ( filename );
import { readFile as something } from 'fs/promises'
something ( filename )
import { readFile as something } from 'node:fs/promises'
something ( filename )
import { readFile } from 'node:fs/promises'
something ( readFile )
import * as something from 'fs' ;
something . readFile ( filename );
import * as something from 'node:fs' ;
something . readFile ( filename );
/// promises
var something = require ( 'fs' ). promises ;
something . readFile ( filename )
var something = require ( 'node:fs' ). promises ;
something . readFile ( filename )
var something = require ( 'fs' );
something . promises . readFile ( filename )
var something = require ( 'node:fs' );
something . promises . readFile ( filename )
var fs = require ( 'fs' );
fs . readFile ( `template with ${ filename } ` );
// inline
function foo () {
var fs = require ( 'fs' );
fs . readFile ( filename );
}
function foo () {
var { readFile : something } = require ( 'fs' );
something ( filename );
}
var fs = require ( 'fs' );
function foo () {
var { readFile : something } = fs . promises ;
something ( filename );
}
import fs from 'fs' ;
import path from 'path' ;
const key = fs . readFileSync ( path . resolve ( __dirname , foo ));
Compliant Code Examples var fs = require ( 'fs' );
var a = fs . open ( 'test' )
var something = require ( 'some' );
var a = something . readFile ( c );
var something = require ( 'fs' ). readFile , readFile = require ( 'foo' ). readFile ;
readFile ( c );
// TODO: allow path with constant arguments
import { promises as fsp } from 'fs' ;
import fs from 'fs' ;
import path from 'path' ;
// const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
// const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
await fsp . writeFile ( path . resolve ( __dirname , './sitemap.xml' ), sitemap );
import fs from 'fs' ;
import path from 'path' ;
const dirname = path . dirname ( __filename )
// const key = fs.readFileSync(path.resolve(dirname, './index.html'));
import fs from 'fs' ;
// const key = fs.readFileSync(`${process.cwd()}/path/to/foo.json`);
import fs from 'fs' ;
import path from 'path' ;
import url from 'url' ;
// const dirname = path.dirname(url.fileURLToPath(import.meta.url));
// const html = fs.readFileSync(path.resolve(dirname, './index.html'), 'utf-8');
import fs from 'fs' ;
// const pkg = fs.readFileSync(require.resolve('eslint/package.json'), 'utf-8');
Seamless integrations. Try Datadog Code Security
