File injection High

Writing unsanitized user data to a file could allow injection or distributed denial of service (DDoS) attacks. Use appropriate sanitizers or validators on the user data before writing the data to a file.

Detector ID
typescript/file-injection@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1import * as fs from 'fs'
2import express, { Express, Request, Response } from 'express'
3const app: Express = express()
4function fileInjectionNoncompliant() {
5  app.get('www.example.com', (req: Request, res: Response) => {
6    var data = req.params.data
7    // Noncompliant: writing unsanitized user data to a file.
8    fs.writeFile('data.txt', data, function(err: any){
9      if(err) throw err
10    })
11  })
12}

Compliant example

1import * as fs from 'fs'
2import express, { Express, Request, Response } from 'express'
3const app: Express = express()
4function fileInjectionCompliant() {
5  app.get('www.example.com', (req: Request, res: Response) => {
6    var data = sanitize(req.params.data)
7    // Compliant: user input is sanitized before use.
8    fs.writeFile('data.txt', data, function(err: any){
9      if(err) throw err
10    })
11  })
12}