Writing unsanitized user data to a file could allow injection or distributed denial of service (DDoS) attacks. Use appropriate sanitizers or validators on the user data before writing the data to a file.
1var fs = require('fs')
2var express = require('express')
3var app = express()
4function fileInjectionNoncompliant() {
5 app.get('www.example.com', (req, res) => {
6 var data = req.params.data
7 // Noncompliant: writing unsanitized user data to a file.
8 fs.writeFile('data.txt', data, function(err){
9 if(err) throw err
10 })
11 })
12}
1var fs = require('fs')
2var express = require('express')
3var app = express()
4function fileInjectionCompliant() {
5 app.get('www.example.com', (req, res) => {
6 var data = sanitize(req.params.data)
7 // Compliant: user input is sanitized before use.
8 fs.writeFile('data.txt', data, function(err){
9 if(err) throw err
10 })
11 })
12}