Insecure object attribute modification Medium

An object attribute constructed from a user-provided input should be considered unsafe because this input can be used to make unexpected modifications to the object.

Detector ID
typescript/insecure-object-attribute-modification@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1import express, {Request, Response} from 'express'
2var app = express()
3function insecureObjectAttributeModificationNoncompliant() {
4    app.get('www.example.com', (req: Request, res: Response) => {
5        var userId = req.params.id
6        // Noncompliant: external input used as object property.
7        req.session.user[userId] = req.body['userDetails']
8    });
9}

Compliant example

1import express, {Request, Response} from 'express'
2var app = express()
3function insecureObjectAttributeModificationCompliant() {
4    app.get('www.example.com', (req: Request, res: Response) => {
5        var userId = req.params.id
6        // Compliant: checks the type of userId as string.
7        if (typeof userId === 'string') {
8            req.session.user[userId] = req.body['userDetails']
9        }
10    });
11}