Avoid require with non-literal values

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: javascript-node-security/detect-non-literal-require

Language: JavaScript

Severity: Warning

Category: Security

Description

Importing packages from dynamic paths can be a security vulnerability. An attacker might provide an undesired path that leads to running arbitrary code or reading sensitive information from your file system.

In Node.js, the require() function is a built-in function that allows modules to be loaded. You can use it to include various types of files (like .js, .json, .node, etc) in your project.

If the argument to require() is a variable instead of a static string, and if that variable’s value can be influenced by user input, then an attacker might be able to exploit this to run arbitrary code or read sensitive files from your server’s disk. This is a serious security issue often referred to as arbitrary code execution.

Dynamic imports are a common source of arbitrary file read and code execution vulnerabilities. Avoid using variables with require or import statements. If you have an advanced use case that requires the use of dynamic imports, make sure to sanitize the input and have an allowed list of paths you can import code from. Always set the proper access control to your file system.

Non-Compliant Code Examples

var a = require(c);
var a = require(`${c}`);

Compliant Code Examples

var a = require('b');
var a = require(`b`);
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis