Avoid variables in 'fs' calls filename argument Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter .
TRY THIS RULE ID: typescript-node-security/detect-non-literal-fs-filename
Language: TypeScript
Severity: Warning
Category: Security
Description An attacker could manipulate the file system call argument leading to a path traversal attack where the attacker get access to files and directories within your server file system.
Non-Compliant Code Examples /// requires
var something = require ( 'fs' );
var a = something . open ( c );
var one = require ( 'fs' ). readFile ;
one ( filename );
var one = require ( 'node:fs' ). readFile ;
one ( filename );
var one = require ( 'fs/promises' ). readFile ;
one ( filename );
var something = require ( 'fs/promises' );
something . readFile ( filename );
var something = require ( 'node:fs/promises' );
something . readFile ( filename );
var something = require ( 'fs-extra' );
something . readFile ( filename );
var { readFile : something } = require ( 'fs' );
something ( filename )
//// imports
import { readFile as something } from 'fs' ;
something ( filename );
import { readFile as something } from 'node:fs' ;
something ( filename );
import { readFile as something } from 'fs-extra' ;
something ( filename );
import { readFile as something } from 'fs/promises'
something ( filename )
import { readFile as something } from 'node:fs/promises'
something ( filename )
import { readFile } from 'node:fs/promises'
something ( readFile )
import * as something from 'fs' ;
something . readFile ( filename );
import * as something from 'node:fs' ;
something . readFile ( filename );
/// promises
var something = require ( 'fs' ). promises ;
something . readFile ( filename )
var something = require ( 'node:fs' ). promises ;
something . readFile ( filename )
var something = require ( 'fs' );
something . promises . readFile ( filename )
var something = require ( 'node:fs' );
something . promises . readFile ( filename )
var fs = require ( 'fs' );
fs . readFile ( `template with ${ filename } ` );
// inline
function foo () {
var fs = require ( 'fs' );
fs . readFile ( filename );
}
function foo () {
var { readFile : something } = require ( 'fs' );
something ( filename );
}
var fs = require ( 'fs' );
function foo () {
var { readFile : something } = fs . promises ;
something ( filename );
}
import fs from 'fs' ;
import path from 'path' ;
const key = fs . readFileSync ( path . resolve ( __dirname , foo ));
Compliant Code Examples var fs = require ( 'fs' );
var a = fs . open ( 'test' )
var something = require ( 'some' );
var a = something . readFile ( c );
var something = require ( 'fs' ). readFile , readFile = require ( 'foo' ). readFile ;
readFile ( c );
// TODO: allow path with constant arguments
import { promises as fsp } from 'fs' ;
import fs from 'fs' ;
import path from 'path' ;
// const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
// const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
await fsp . writeFile ( path . resolve ( __dirname , './sitemap.xml' ), sitemap );
import fs from 'fs' ;
import path from 'path' ;
const dirname = path . dirname ( __filename )
// const key = fs.readFileSync(path.resolve(dirname, './index.html'));
import fs from 'fs' ;
// const key = fs.readFileSync(`${process.cwd()}/path/to/foo.json`);
import fs from 'fs' ;
import path from 'path' ;
import url from 'url' ;
// const dirname = path.dirname(url.fileURLToPath(import.meta.url));
// const html = fs.readFileSync(path.resolve(dirname, './index.html'), 'utf-8');
import fs from 'fs' ;
// const pkg = fs.readFileSync(require.resolve('eslint/package.json'), 'utf-8');
Seamless integrations. Try Datadog Code Analysis