--- title: Avoid variables in 'fs' calls filename argument description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Avoid variables in 'fs' calls filename argument --- # Avoid variables in 'fs' calls filename argument {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **ID:** `javascript-node-security/detect-non-literal-fs-filename` **Language:** JavaScript **Severity:** Warning **Category:** Security **CWE**: [22](https://cwe.mitre.org/data/definitions/22.html) **Related CWEs**: - [23](https://cwe.mitre.org/data/definitions/23.html) - [36](https://cwe.mitre.org/data/definitions/36.html) ## Description{% #description %} An attacker could manipulate the file system call argument, leading to a path traversal attack. In this case, the attacker can get access to files and directories within your server file system. ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```javascript /// requires var something = require('fs'); var a = something.open(c); var one = require('fs').readFile; one(filename); var one = require('node:fs').readFile; one(filename); var one = require('fs/promises').readFile; one(filename); var something = require('fs/promises'); something.readFile(filename); var something = require('node:fs/promises'); something.readFile(filename); var something = require('fs-extra'); something.readFile(filename); var { readFile: something } = require('fs'); something(filename) //// imports import { readFile as something } from 'fs'; something(filename); import { readFile as something } from 'node:fs'; something(filename); import { readFile as something } from 'fs-extra'; something(filename); import { readFile as something } from 'fs/promises' something(filename) import { readFile as something } from 'node:fs/promises' something(filename) import { readFile } from 'node:fs/promises' something(readFile) import * as something from 'fs'; something.readFile(filename); import * as something from 'node:fs'; something.readFile(filename); /// promises var something = require('fs').promises; something.readFile(filename) var something = require('node:fs').promises; something.readFile(filename) var something = require('fs'); something.promises.readFile(filename) var something = require('node:fs'); something.promises.readFile(filename) var fs = require('fs'); fs.readFile(`template with ${filename}`); // inline function foo () { var fs = require('fs'); fs.readFile(filename); } function foo () { var { readFile: something } = require('fs'); something(filename); } var fs = require('fs'); function foo () { var { readFile: something } = fs.promises; something(filename); } import fs from 'fs'; import path from 'path'; const key = fs.readFileSync(path.resolve(__dirname, foo)); ``` ## Compliant Code Examples{% #compliant-code-examples %} ```javascript var fs = require('fs'); var a = fs.open('test') var something = require('some'); var a = something.readFile(c); var something = require('fs').readFile, readFile = require('foo').readFile; readFile(c); // TODO: allow path with constant arguments import { promises as fsp } from 'fs'; import fs from 'fs'; import path from 'path'; // const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8'); // const key = fs.readFileSync(path.join(__dirname, './ssl.key')); await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap); import fs from 'fs'; import path from 'path'; const dirname = path.dirname(__filename) // const key = fs.readFileSync(path.resolve(dirname, './index.html')); import fs from 'fs'; // const key = fs.readFileSync(`${process.cwd()}/path/to/foo.json`); import fs from 'fs'; import path from 'path'; import url from 'url'; // const dirname = path.dirname(url.fileURLToPath(import.meta.url)); // const html = fs.readFileSync(path.resolve(dirname, './index.html'), 'utf-8'); import fs from 'fs'; // const pkg = fs.readFileSync(require.resolve('eslint/package.json'), 'utf-8'); ``` Seamless integrations. Try Datadog Code SecurityDatadog Code Security {% icon name="icon-external-link" /%}