Untrusted user input in require() function
Description
Passing untrusted user input directly into the require() function without proper validation or sanitization can cause a vulnerability known as remote code execution (RCE). An attacker could manipulate the input to load and execute arbitrary code from external sources, potentially leading to severe security breaches such as data theft, system compromise, or unauthorized access.
Examples
Insecure Code
javascript
require(userInput);Secure Code
javascript
const allowedPkgs = ['package1', 'package2', 'package3']; if (allowedPkgs.includes(userInput)) { require(userInput); }Remediation
Validate and sanitize user input thoroughly before passing it to functions like require(), ensuring that only trusted and safe inputs are utilized. Use an allowlist to define explicitly allowed packages for require.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0374 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-706 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | Remote Code Execution, RCE |
| OWASP | A1:2017-Injection, A03:2021-Injection |