Inappropriate coding practices - Wildcard export
Need
Enforce explicit exports in code modules
Context
- Usage of TypeScript for type-checking and compiling JavaScript code
- Usage of Express for building web applications and APIs
- Usage of body-parser for parsing request bodies in Express
- Usage of fs for file system operations
Description
Non compliant code
// Importing required modules
import * as express from 'express';
import * as bodyParser from 'body-parser';
import * as fs from 'fs';
// Creating an Express application
const app = express();
// Middleware to parse request bodies
app.use(bodyParser.json());
// Endpoint to read a file
app.get('/readFile', (req, res) => {
const fileName = req.query.fileName;
const fileContent = fs.readFileSync(fileName, 'utf-8');
res.send(fileContent);
});
// Exporting the Express application
export default app;
The vulnerability in this code is the use of the wildcard operator (*) when importing modules.
In the first line, the code imports all the functions and objects from the express module using the wildcard operator. Similarly, it imports all the functions and objects from the body-parser and fs modules.
This practice of using the wildcard operator to import all functions and objects from a module is considered inappropriate coding practice. It can lead to several issues:
-
Exporting unnecessary functions and objects: By importing everything from a module, the code exports all the functions and objects, including those that are not needed in the current module. This can lead to a larger bundle size and expose unnecessary functionality to other parts of the application.
-
Suboptimal performance: Importing everything from a module can result in suboptimal performance because the code includes unnecessary code that may not be used. This can impact the overall performance of the application.
To address this vulnerability, it is recommended to explicitly import only the necessary functions and objects from the modules. This ensures that only the required functionality is exported and used, improving code maintainability and performance.
Steps
- Replace wildcard import with explicit imports for the required modules
- Remove the import statement for the 'fs' module if it is not needed
- Update the code to use the explicitly imported modules instead of the wildcard import
- Re-export the necessary modules instead of exporting the entire Express application
Compliant code
// Importing required modules
import express from 'express';
import bodyParser from 'body-parser';
import { readFileSync } from 'fs';
// Creating an Express application
const app = express();
// Middleware to parse request bodies
app.use(bodyParser.json());
// Endpoint to read a file
app.get('/readFile', (req, res) => {
const fileName = req.query.fileName;
const fileContent = readFileSync(fileName, 'utf-8');
res.send(fileContent);
});
// Exporting the necessary modules
export { express, bodyParser, readFileSync };
export default app;
The fixed code addresses the vulnerability by explicitly exporting only the necessary modules and packages for the correct operation of the application.
First, the required modules are imported using the ES6 import syntax. The express module is imported from the 'express' package, the body-parser module is imported from the 'body-parser' package, and the readFileSync function is imported from the 'fs' module.
Then, an Express application is created using the express() function and assigned to the app constant.
The body-parser middleware is added to parse the request bodies using the app.use() method.
An endpoint is defined using the app.get() method. This endpoint is '/readFile' and it handles GET requests. It takes a query parameter 'fileName' and reads the content of the file using the readFileSync function from the 'fs' module. The file content is then sent as the response using the res.send() method.
Finally, the necessary modules and functions are explicitly exported using the export keyword. The express, bodyParser, and readFileSync modules/functions are exported. Additionally, the app object is exported as the default export.
By explicitly exporting only the required modules and packages, the code avoids the inappropriate coding practice of using wildcard exports. This improves the maintainability of the module and ensures that only the necessary functions and packages are available for use.