False positive for detect-non-literal-fs-filename

[freaktechnik]

detect-non-literal-fs-filename seems to also be triggered when passing fs.writeFile to other functions, especially explicitly safe ones like util.promisify.

The message is also quite wrong ("Found fs.writeFile with non literal argument at index 0") while the actual warning is more that it's being passed in to a function and who knows what that function does with it?

[mikecbrant]

+1 on this issue.

Code to reproduce...

import fs from 'fs';
import { promisify } from 'util';

const readFile = promisify(fs.readFile);

[FelixRe0]

+1
Seems to also false positive on a variable with a .link key
Found fs.link with non literal argument at index 1 security/detect-non-literal-fs-filename
ie:
console.log('this should not be an issue', item.link)

[cope]

Also
Found fs.truncate with non literal argument at index 0
_.truncate(item.description, {...

[modestfake]

It also false positive for any function with name which overlaps with fs method names:

const id = '123'

const obj = {
  readFile() {
    return 1
  },
  writeFile() {
    return 2
  },
}

obj.readFile(id) // Yields here
obj.writeFile(id) // and here

[Deepesh316]

Any fix for the same?

[alvaroinckot]

+1 on this issue.

[jesusprubio]

Summary
False positive for any function with name which overlaps with fs method names. Examples:

• False positive for detect-non-literal-fs-filename #54 (comment)
• False positive for detect-non-literal-fs-filename #54 (comment)

Still relevant?
Yes.

Next steps

• Work in a fix

[jesusprubio]

Verified with the actual version and this snippet:

const fs = require('fs');
const { promisify } = require('util');

const readFile = promisify(fs.readFile);

Versions:

• Node: 16.14.0
• ESLint: 8.11.0
• eslint-plugin-security: 1.4.0

[revelt]

PR raised

[ota-meshi]

I believe this issue has been fixed in the latest version.
https://github.com/eslint-community/eslint-plugin-security/releases/tag/v1.6.0
It was fixed by PR #92.

[nzakas]

Yup, you're correct. Thanks!