1 min read


import and require statements must be passed string literals to avoid arbitrary user access to code.
Table of Contents

Conformance is available on Enterprise plans

import and require statements load code from another file. When the location of the import is influenced by user input, the user may be able to load code that would otherwise be inaccessible to them. Such imports should protect against this by adding guards to make sure that arbitrary code can not be loaded from the import statement.

The following code would be flagged by this rule:

function loadDynamicCode(moduleName: string) {
  return import(moduleName);

In this example, it can not be guaranteed that the moduleName that is provided would not be arbitrary input that could load unintended code.

Instances of this rule should be reviewed by a knowledgeable security person. If user input is used to select which module is loaded, guards against arbitrary strings should be added, such as only allowing access to a list of valid options. If no user input is involved in the import, then this code could be allowlisted after being reviewed by a security team member, but developers should be careful to ensure that only the desired code can be loaded.

Last updated on February 22, 2024