Importing packages from dynamic paths can be a security vulnerability. An attacker might provide an undesired path that leads to running arbitrary code or reading sensitive information from your file system.
In Node.js, the require() function is a built-in function that allows modules to be loaded. You can use it to include various types of files (like .js, .json, .node, etc) in your project.
If the argument to require() is a variable instead of a static string, and if that variable’s value can be influenced by user input, then an attacker might be able to exploit this to run arbitrary code or read sensitive files from your server’s disk. This is a serious security issue often referred to as arbitrary code execution.
Dynamic imports are a common source of arbitrary file read and code execution vulnerabilities. Avoid using variables with require or import statements. If you have an advanced use case that requires the use of dynamic imports, make sure to sanitize the input and have an allowed list of paths you can import code from. Always set the proper access control to your file system.
Non-Compliant Code Examples
vara=require(c);vara=require(`${c}`);
Compliant Code Examples
vara=require('b');vara=require(`b`);
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- javascript-node-security # Rules to enforce JavaScript node security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines