An object attribute constructed from a user-provided input should be considered unsafe because this input can be used to make unexpected modifications to the object.
1import express, {Request, Response} from 'express'
2var app = express()
3function insecureObjectAttributeModificationNoncompliant() {
4 app.get('www.example.com', (req: Request, res: Response) => {
5 var userId = req.params.id
6 // Noncompliant: external input used as object property.
7 req.session.user[userId] = req.body['userDetails']
8 });
9}
1import express, {Request, Response} from 'express'
2var app = express()
3function insecureObjectAttributeModificationCompliant() {
4 app.get('www.example.com', (req: Request, res: Response) => {
5 var userId = req.params.id
6 // Compliant: checks the type of userId as string.
7 if (typeof userId === 'string') {
8 req.session.user[userId] = req.body['userDetails']
9 }
10 });
11}