Ts Unsafe Require Module Inclusion
Description
Detects unsafe dynamic module imports in Express.js applications that could allow arbitrary file inclusion. This vulnerability occurs when user-controlled input can influence which files are loaded through require() or import statements, potentially leading to remote code execution or sensitive file disclosure.
Detection Strategy
• Code must be using the Express.js framework (checks for 'express' module imports)
• Identifies require() or import statements that use dynamic/variable values instead of static strings
• Reports a vulnerability when the module path in require()/import is constructed from variables or expressions rather than being a direct string literal
• Flags cases where the imported module path could be manipulated by user input or external data
Vulnerable code example
const express = require('express');
const app = express();
app.get('/load-plugin', (req, res) => {
const pluginName = req.query.name;
// VULNERABLE: Allows arbitrary file inclusion via user input
const plugin = require(pluginName);
res.send('Plugin loaded');...✅ Secure code example
const express = require('express');
const app = express();
app.get('/load-plugin', (req, res) => {
const pluginName = req.query.name;
// SECURE: Whitelist of allowed plugins prevents arbitrary file inclusion
'logger': './plugins/logger',...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.