guatedude2 / node-readfiles Goto Github PK

Hi @guatedude2, following #7 and #9, CodeQL reported another finding (see screenshot below):

• Title: Incomplete string escaping or encoding.
• Location: lib/readfiles.js:13
• Description: Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.
• Tool: CodeQL
• Rule ID: js/incomplete-sanitization

You probably see the same on your CodeQL dashboard.

Is this a true positive or false positive?

Thanks

Problem examples in README.MD

readfiles('/path/to/dir/', {
  depth: 0
}, function (err, content, filename) {

readfiles('/path/to/dir/', {
  filter: '*' // instead of the default '**'
}, function (err, content, filename) {

etc..

Hi @guatedude2, following #7 and #8, CodeQL reported another finding (see screenshot below):

• Title: Incomplete string escaping or encoding.
• Location: lib/readfiles.js:13
• Description: Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.
• Tool: CodeQL
• Rule ID: js/incomplete-sanitization

You probably see the same on your CodeQL dashboard.

Is this a true positive or false positive?

Thanks

Title: Double escaping or unescaping
File: utils/readfiles.js:20
Tool: CodeQL
Rule ID: js/double-escaping
Query: View source

document

hidden: a boolean value whether to exclude hidden files prefixed with a . (defaults to true)

68 lines of code

          // skip file if it's a hidden file and the hidden option is not set
          if (options.hidden !== true && /^\./.test(filename)) {
            return next();
          }