eslint-plugin-security
Version:
Security rules for eslint
44 lines (39 loc) • 1.3 kB
JavaScript
/**
* Tries to detect calls to require with non-literal argument
* @author Adam Baldwin
*/
;
const { isStaticExpression } = require('../utils/is-static-expression');
//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
module.exports = {
meta: {
type: 'error',
docs: {
description: 'Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.',
category: 'Possible Security Vulnerability',
recommended: true,
url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-require.md',
},
},
create: function (context) {
return {
CallExpression: function (node) {
if (node.callee.name === 'require') {
const args = node.arguments;
if (
args &&
args.length > 0 &&
!isStaticExpression({
node: args[0],
scope: context.getScope(),
})
) {
return context.report({ node: node, message: 'Found non-literal argument in require' });
}
}
},
};
},
};