Filesystem access

Information

The Filesystem Access alert monitors your project's dependencies for any interactions with the file system. Accessing the file system can pose significant security risks by potentially allowing dependencies to read sensitive data. This alert helps identify and mitigate such risks by notifying you when dependencies perform file system operations.

Recommended actions

If a package is flagged with the Filesystem Access alert, here are a few ways you can investigate it and make changes where necessary:

Review File Access Patterns: Examine the files and directories being accessed to ensure they are legitimate and necessary.

Clarify File Access Needs: If a package must read the file system, it should clearly specify what it will read and ensure it accesses only the necessary files. Not all packages will be this helpful in identifying the scope and necessity of file operations, so further examination of the code may be necessary.

Delegate File Access to Consumers: When appropriate, packages should allow consumers of the package to handle file system access. The package can operate on data passed to it instead of directly accessing the file system, reducing the risk of unintended data exposure. If you are unsure of the necessity here, you may want to replace this dependency with one that doesn't access the filesystem directly.

Examples

Here's an example where Socket is flagging a package with the Filesystem Access alert due to its use of the fs module:

Detection Method

The Filesystem Access alert detects when a package imports or utilizes file system modules or functions that enable interaction with the system's file storage. Specifically, it scans the dependency's codebase for the use of file system-related APIs, such as the fs module in Node.js (const fs = require('fs');) or equivalent modules in other programming languages. By identifying these imports or method calls (e.g., fs.readFile, fs.writeFile), Socket flags packages that have the capability to read from or write to the file system

Additional resources

• Mozilla Developer Network (MDN): Node.js File System: FileSystem documentation
• Node.js Security Best Practices
• Node.js Official Documentation: File System (fs): Comprehensive guide on using the fs module in Node.js, including synchronous and asynchronous methods for interacting with the file system.