Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False positive for detect-non-literal-fs-filename

See original GitHub issue

detect-non-literal-fs-filename seems to also be triggered when passing fs.writeFile to other functions, especially explicitly safe ones like util.promisify.

The message is also quite wrong (“Found fs.writeFile with non literal argument at index 0”) while the actual warning is more that it’s being passed in to a function and who knows what that function does with it?

Issue Analytics

State:
Created 4 years ago
Reactions:2
Comments:9 (2 by maintainers)

Top GitHub Comments

3reactions

alvarocantadorcommented, Sep 16, 2021

+1 on this issue.

2reactions

Deepesh316commented, Sep 27, 2020

Any fix for the same?

Top Results From Across the Web

False positive detect-non-literal-fs-filename on _.exists #26

This needs to be re-written to actually see if fs was used, track it's assignment and make sure that method calls are on...

Remove non-literal-regexp and -fs-filename rules ... - GitLab

Problem to solve. A number of eslint, and the matching semgrep eslint, rules output a significant amount of false positives.

detect-non-literal-fs-filename - Semgrep

Detected that function argument `$ARG` has entered the fs module. An attacker could potentially control the location of this file, to include going ......

How to fix "Found fs.readFile with non literal argument at index ...

I am trying to add eslint-plugin-security in a TypeScript project. However, for these codes import { promises as fsp } from 'fs'; import...

nodesecurity - Bountysource

False positive detect-non-literal-fs-filename on _.exists $ 0. Created 5 years ago in nodesecurity/eslint-plugin-security with 7 comments.