gitlab.eslint.detect-non-literal-fs-filename
153
Download Count*
License
A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.
Run Locally
Run in CI
Defintion
rules:
- id: eslint.detect-non-literal-fs-filename
patterns:
- pattern-not: $MOD.appendFile("...", ...)
- pattern-not: $MOD.appendFileSync("...", ...)
- pattern-not: $MOD.chmod("...", ...)
- pattern-not: $MOD.chmodSync("...", ...)
- pattern-not: $MOD.chown("...", ...)
- pattern-not: $MOD.chownSync("...", ...)
- pattern-not: $MOD.createReadStream("...", ...)
- pattern-not: $MOD.createWriteStream("...", ...)
- pattern-not: $MOD.exists("...", ...)
- pattern-not: $MOD.existsSync("...", ...)
- pattern-not: $MOD.lchmod("...", ...)
- pattern-not: $MOD.lchmodSync("...", ...)
- pattern-not: $MOD.lchown("...", ...)
- pattern-not: $MOD.lchownSync("...", ...)
- pattern-not: $MOD.link("...", "...", ...)
- pattern-not: $MOD.linkSync("...", "...", ...)
- pattern-not: $MOD.lstat("...", ...)
- pattern-not: $MOD.lstatSync("...", ...)
- pattern-not: $MOD.mkdir("...", ...)
- pattern-not: $MOD.mkdirSync("...", ...)
- pattern-not: $MOD.open("...", ...)
- pattern-not: $MOD.openSync("...", ...)
- pattern-not: $MOD.readdir("...", ...)
- pattern-not: $MOD.readdirSync("...", ...)
- pattern-not: $MOD.readFile("...", ...)
- pattern-not: $MOD.readFileSync("...", ...)
- pattern-not: $MOD.readlink("...", ...)
- pattern-not: $MOD.readlinkSync("...", ...)
- pattern-not: $MOD.realpath("...", ...)
- pattern-not: $MOD.realpathSync("...", ...)
- pattern-not: $MOD.rename("...", "...", ...)
- pattern-not: $MOD.renameSync("...", "...", ...)
- pattern-not: $MOD.rmdir("...", ...)
- pattern-not: $MOD.rmdirSync("...", ...)
- pattern-not: $MOD.stat("...", ...)
- pattern-not: $MOD.statSync("...", ...)
- pattern-not: $MOD.symlink("...", "...", ...)
- pattern-not: $MOD.symlinkSync("...", "...", ...)
- pattern-not: $MOD.truncate("...", ...)
- pattern-not: $MOD.truncateSync("...", ...)
- pattern-not: $MOD.unlink("...", ...)
- pattern-not: $MOD.unlinkSync("...", ...)
- pattern-not: $MOD.unwatchFile("...", ...)
- pattern-not: $MOD.utimes("...", ...)
- pattern-not: $MOD.utimesSync("...", ...)
- pattern-not: $MOD.watch("...", ...)
- pattern-not: $MOD.watchFile("...", ...)
- pattern-not: $MOD.writeFile("...", ...)
- pattern-not: $MOD.writeFileSync("...", ...)
- pattern-either:
- pattern: $MOD.appendFile(...)
- pattern: $MOD.appendFileSync(...)
- pattern: $MOD.chmod(...)
- pattern: $MOD.chmodSync(...)
- pattern: $MOD.chown(...)
- pattern: $MOD.chownSync(...)
- pattern: $MOD.createReadStream(...)
- pattern: $MOD.createWriteStream(...)
- pattern: $MOD.exists(...)
- pattern: $MOD.existsSync(...)
- pattern: $MOD.lchmod(...)
- pattern: $MOD.lchmodSync(...)
- pattern: $MOD.lchown(...)
- pattern: $MOD.lchownSync(...)
- pattern: $MOD.link(...)
- pattern: $MOD.linkSync(...)
- pattern: $MOD.lstat(...)
- pattern: $MOD.lstatSync(...)
- pattern: $MOD.mkdir(...)
- pattern: $MOD.mkdirSync(...)
- pattern: $MOD.open(...)
- pattern: $MOD.openSync(...)
- pattern: $MOD.readdir(...)
- pattern: $MOD.readdirSync(...)
- pattern: $MOD.readFile(...)
- pattern: $MOD.readFileSync(...)
- pattern: $MOD.readlink(...)
- pattern: $MOD.readlinkSync(...)
- pattern: $MOD.realpath(...)
- pattern: $MOD.realpathSync(...)
- pattern: $MOD.rename(...)
- pattern: $MOD.renameSync(...)
- pattern: $MOD.rmdir(...)
- pattern: $MOD.rmdirSync(...)
- pattern: $MOD.stat(...)
- pattern: $MOD.statSync(...)
- pattern: $MOD.symlink(...)
- pattern: $MOD.symlinkSync(...)
- pattern: $MOD.truncate(...)
- pattern: $MOD.truncateSync(...)
- pattern: $MOD.unlink(...)
- pattern: $MOD.unlinkSync(...)
- pattern: $MOD.unwatchFile(...)
- pattern: $MOD.utimes(...)
- pattern: $MOD.utimesSync(...)
- pattern: $MOD.watch(...)
- pattern: $MOD.watchFile(...)
- pattern: $MOD.writeFile(...)
- pattern: $MOD.writeFileSync(...)
message: >
A variable is present in the filename argument of fs calls, this might
allow an attacker to access anything on your system.
languages:
- typescript
- javascript
severity: WARNING
metadata:
cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')"
primary_identifier: eslint.detect-non-literal-fs-filename
secondary_identifiers:
- name: ESLint rule ID security/detect-non-literal-fs-filename
type: eslint_rule_id
value: security/detect-non-literal-fs-filename
license: MIT
Short Link: https://sg.run/L09Y