- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: typescript-node-security/detect-non-literal-require
Language: TypeScript
Severity: Warning
Category: Security
Importing packages from dynamic paths can be a security vulnerability. An attacker might provide an undesired path that leads to running arbitrary code or reading sensitive information from your file system.
In Node.js, the require()
function is a built-in function that allows modules to be loaded. You can use it to include various types of files (like .js, .json, .node, etc) in your project.
If the argument to require()
is a variable instead of a static string, and if that variable’s value can be influenced by user input, then an attacker might be able to exploit this to run arbitrary code or read sensitive files from your server’s disk. This is a serious security issue often referred to as arbitrary code execution.
Dynamic imports are a common source of arbitrary file read and code execution vulnerabilities. Avoid using variables with require
or import
statements. If you have an advanced use case that requires the use of dynamic imports, make sure to sanitize the input and have an allowed list of paths you can import code from. Always set the proper access control to your file system.
const a = require(c);
const a = require(`${c}`);
var a = require('b');
var a = require(`b`);
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products