Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Description
The application dynamically imports a module by calling `require` using a non-literal string, allowing an adversary to potentially read the first line of arbitrary files or execute arbitrary code if they have write access to the file system.
Examples
Insecure Code
javascript
const moduleName = getUserInput(); require(moduleName);Secure Code
javascript
require('module-name');Remediation
Use a hardcoded string literal when calling `require`. Never call it with dynamically created variables or user-supplied data.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0199 |
| Category | Injection |
| Severity | LOW |
| CWE | CWE-95 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | eval-injection, dynamic-import |
| OWASP | A1:2017-Injection, A03:2021-Injection |