• CodeQL query help documentation »
• CodeQL query help for JavaScript and TypeScript »

Unnecessary use of cat process

ID: js/unnecessary-use-of-cat
Kind: problem
Security severity: 6.3
Severity: error
Precision: high
Tags:
   - correctness
   - security
   - maintainability
   - external/cwe/cwe-078
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Using the unix command cat only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js fs.readFile API.

The use of cat for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.

Recommendation

Use fs.readFile or fs.readFileSync to read files from the file system.

Example

The following example shows code that reads a file using cat:

var child_process = require('child_process');

module.exports = function (name) {
    return child_process.execSync("cat " + name).toString();
};

The code in the example will break if the input name contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.

The fs.readFile API should be used to avoid these potential issues:

var fs = require('fs');

module.exports = function (name) {
    return fs.readFileSync(name).toString();
};

References

• OWASP: Command Injection.

• Node.js: File System API.

• The Useless Use of Cat Award.

• Common Weakness Enumeration: CWE-78.

• © GitHub, Inc.
• Terms
• Privacy