Skip to content

non-literal-require

Ensure node uses literal require statements

The crux of this secure coding practice is to be as explicit as possible when importing libraries.

This rule is triggered when a non-literal (for example, a variable) is used to require a module into a file. This is a potential vulnerability as an attacker can potentially hijack the variable to load and execute some unintended code which can change your program to do malicious things, or access arbitrary files on the host.

Examples

Insecure Example

// Imagine if getDatabaseHost was was able to be called via user input
function getDatabaseHost(const filepath:string) {
    const rawConfigFile = require(filepath)
    return rawConfigFile;
}

Secure Example

In most cases, the remediation is to use an explicit import instead of the require.

By doing so, you are shutting the door on the possibility of loading arbitrary code based on user input of your system, and, you will be getting typing.

Rewriting the code above to be more explicit is safer.

import { databaseHost } from "./config";

function getDatabaseHost(): string {
    return databaseHost;
}

More Information

Using TypeScript imports are not always possible especially if you are loading a JS modules. If you are attempting to import an external library, you could try to install the type definitions for that library so you can selectively import the only code you need.