Avoid rendering resource based on unsanitized user input

Docs > Datadog Security > Code Security > Static Analysis (SAST) > SAST Rules > Avoid rendering resource based on unsanitized user input

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: javascript-express/external-resource

Language: JavaScript

Severity: Warning

Category: Security

CWE: 706

Description

Rendering resources based on unsanitized user input should be avoided. At a minimum, one should use a safelist to restrict the potential resources that are exposed.

Non-Compliant Code Examples

app.get("/", (req, res) => {
    res.render(req.body.path)
    res.render(req.cookies.path)
    res.render(req.headers.path)
    res.render(req.params.path)
    res.render(req.query.path)
})

Compliant Code Examples

app.get("/", (req, res) => {
    const path = req.body.path
    if (["posts", "pages"].includes(path)) {
        return res.render(`${path}/success`)
    }
    res.render("error-page")
})