I’m trying to do something like this (typescript)
window.open(`https://somelink/certificate/${regNumber}?registrationNumber=${type}`);
where regNumber and type are very dynamic.
ESLint is giving me an error
Found fs.open with non literal argument at index 0 security/detect-non-literal-fs-filename
I know this is https://owasp.org/www-community/attacks/Path_Traversal path traversal vulnerability, but simply cannot figure out how to go around it. Any ideas? Thanks
Screenshot:
>Solution :
In your case, this rule can be safely ignored.
What the rule does is, it makes a list of these object keys, which includes open, and then checks whether any property accessed in the code (or, more specifically, any MemberExpression) matches one of those keys.
So, while it’ll generate a warning for fs.writeFile, and fs.open, for example, it’ll also generate one for window.open – despite the fact that the client-side window object is completely different from fs.
fs methods allow for broad manipulation of the server’s filesystem. Allowing arbitrary access to this is a bad idea.
window.open only allows a client’s browser to open a window to another address, which is nearly innocuous and has very little chance of harming anything.
There’s still a potential small vulnerability, but the potential vulnerability will exist regardless of your window.open code – if the webserver is set up improperly and allows arbitrary URL accesses to do something improper (which would be pretty unlikely), that means there’s a big issue to fix on the server – but it’s not an issue that client-side code should try to deal with.
If the project you’re working on does not contain any server-side code, feel free to disable the security/detect-non-literal-fs-filename rule for the whole project.