mirror of
https://github.com/goldbergyoni/nodebestpractices.git
synced 2025-11-03 03:36:26 +08:00
16 lines
606 B
Markdown
16 lines
606 B
Markdown
# Avoid module loading using a variable
|
|
|
|
### One Paragraph Explainer
|
|
|
|
Avoid requiring/importing another file with a path that was given as parameter due to the concern that it could have originated from user input. This rule can be extended for accessing files in general (i.e. `fs.readFile()`) or other sensitive resources with dynamic variables originating from user input.
|
|
|
|
### Code example
|
|
|
|
```javascript
|
|
// insecure, as helperPath variable may have been modified by user input
|
|
const uploadHelpers = require(helperPath);
|
|
|
|
// secure
|
|
const uploadHelpers = require('./helpers/upload');
|
|
```
|