Writing unsanitized user data to a file could allow injection or distributed denial of service (DDoS) attacks. Use appropriate sanitizers or validators on the user data before writing the data to a file.
1import * as fs from 'fs'
2import express, { Express, Request, Response } from 'express'
3const app: Express = express()
4function fileInjectionNoncompliant() {
5 app.get('www.example.com', (req: Request, res: Response) => {
6 var data = req.params.data
7 // Noncompliant: writing unsanitized user data to a file.
8 fs.writeFile('data.txt', data, function(err: any){
9 if(err) throw err
10 })
11 })
12}
1import * as fs from 'fs'
2import express, { Express, Request, Response } from 'express'
3const app: Express = express()
4function fileInjectionCompliant() {
5 app.get('www.example.com', (req: Request, res: Response) => {
6 var data = sanitize(req.params.data)
7 // Compliant: user input is sanitized before use.
8 fs.writeFile('data.txt', data, function(err: any){
9 if(err) throw err
10 })
11 })
12}