logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Inappropriate coding practices - Wildcard export - Typescript

Need

Enforce explicit exports in code modules

Context

  1. Usage of TypeScript for type-checking and compiling JavaScript code
  2. Usage of Express for building web applications and APIs
  3. Usage of body-parser for parsing request bodies in Express
  4. Usage of fs for file system operations

Description

Insecure Code Example

// Importing required modules
import * as express from 'express';
import * as bodyParser from 'body-parser';
import * as fs from 'fs';

// Creating an Express application
const app = express();

// Middleware to parse request bodies
app.use(bodyParser.json());

// Endpoint to read a file
app.get('/readFile', (req, res) => {
  const fileName = req.query.fileName;
  const fileContent = fs.readFileSync(fileName, 'utf-8');
  res.send(fileContent);
});

// Exporting the Express application
export default app;

The vulnerability in this code is the use of the wildcard operator (`*`) when importing modules. In the first line, the code imports all the functions and objects from the `express` module using the wildcard operator. Similarly, it imports all the functions and objects from the `body-parser` and `fs` modules. This practice of using the wildcard operator to import all functions and objects from a module is considered inappropriate coding practice. It can lead to several issues: 1. Exporting unnecessary functions and objects: By importing everything from a module, the code exports all the functions and objects, including those that are not needed in the current module. This can lead to a larger bundle size and expose unnecessary functionality to other parts of the application. 2. Suboptimal performance: Importing everything from a module can result in suboptimal performance because the code includes unnecessary code that may not be used. This can impact the overall performance of the application. To address this vulnerability, it is recommended to explicitly import only the necessary functions and objects from the modules. This ensures that only the required functionality is exported and used, improving code maintainability and performance.

Steps

  1. Replace wildcard import with explicit imports for the required modules
  2. Remove the import statement for the 'fs' module if it is not needed
  3. Update the code to use the explicitly imported modules instead of the wildcard import
  4. Re-export the necessary modules instead of exporting the entire Express application

Secure Code Example

// Importing required modules
import express from 'express';
import bodyParser from 'body-parser';
import { readFileSync } from 'fs';

// Creating an Express application
const app = express();

// Middleware to parse request bodies
app.use(bodyParser.json());

// Endpoint to read a file
app.get('/readFile', (req, res) => {
  const fileName = req.query.fileName;
  const fileContent = readFileSync(fileName, 'utf-8');
  res.send(fileContent);
});

// Exporting the necessary modules
export { express, bodyParser, readFileSync };
export default app;

The fixed code addresses the vulnerability by explicitly exporting only the necessary modules and packages for the correct operation of the application. First, the required modules are imported using the ES6 import syntax. The `express` module is imported from the 'express' package, the `body-parser` module is imported from the 'body-parser' package, and the `readFileSync` function is imported from the 'fs' module. Then, an Express application is created using the `express()` function and assigned to the `app` constant. The `body-parser` middleware is added to parse the request bodies using the `app.use()` method. An endpoint is defined using the `app.get()` method. This endpoint is '/readFile' and it handles GET requests. It takes a query parameter 'fileName' and reads the content of the file using the `readFileSync` function from the 'fs' module. The file content is then sent as the response using the `res.send()` method. Finally, the necessary modules and functions are explicitly exported using the `export` keyword. The `express`, `bodyParser`, and `readFileSync` modules/functions are exported. Additionally, the `app` object is exported as the default export. By explicitly exporting only the required modules and packages, the code avoids the inappropriate coding practice of using wildcard exports. This improves the maintainability of the module and ensures that only the necessary functions and packages are available for use.

References

  • 384 - Inappropriate coding practices - Wildcard export

    • Last updated

    2023/09/18