Inappropriate exposure of a directory listing could give attackers access to sensitive data or source code, either directly or through exploitation of an exposed file structure.
12
12
13
13
## Remediations
14
-
- Restrict access to sensitive directories and files
14
+
✅ Restrict access to sensitive directories and files
description: "External control of filename or path detected."
37
37
remediation_message: |
38
38
## Description
39
-
Using raw unsanitized input when forming filenames or file paths is bad practice.
40
-
It can lead to path manipulation, by which attackers can gain access to resources outside of the intended scope.
39
+
Passing unsanitized user input to the sendFile API is bad practice and can lead to path manipulation, by which attackers can gain access to resources and data outside of the intended scope.
41
40
42
-
<!--
43
41
## Remediations
44
-
Coming soon.
42
+
✅ Set the root option to be an absolute path to a directory
43
+
44
+
```javascript
45
+
app.post("/upload", (req, res) => {
46
+
var options = {
47
+
root: path.join(__dirname, "upload")
48
+
}
49
+
res.sendFile(req.params.filename, options)
50
+
}
51
+
```
52
+
45
53
## Resources
46
-
Coming soon.
47
-
-->
54
+
- [Express sendFile API reference](http://expressjs.com/en/5x/api.html#res.sendFile)
Using unsanitizer user input to seta X-Frame-Options HTTPresponseheader puts your application at risk for UI redress attacks (clickjacking).
24
+
Using unsanitized user input to set X-Frame-Options orContent-Security-PolicyHTTPheaders puts your application at risk for UI redress attacks (clickjacking).
28
25
29
-
<!--
30
26
## Remediations
31
-
Coming soon.
27
+
✅ Prefer the most secure values when setting these headers
Avoid parsing untrusted data as XML. Such data could include URIs that resolve to resources that are outside of the current context, leading to XML External Entity (XXE) injection.
75
-
<!--
75
+
76
76
## Remediations
77
-
Coming soon.
77
+
❌ Do not enable parsing of external entities.
78
+
79
+
For LibXML, for example, do not set `noent` to `true`.