Rule Definition
When a resource is not released after use, it can allow attackers to cause a denial of service by causing the allocation of resources without triggering their release. Frequently-affected resources include memory, CPU, disk space, power or battery, etc.
Remediation
Always close a filesystem after using open.
Always use closeSync after using openSync.
Violation Code Sample
import * as fs from 'fs';
// NOT VIOLATION
fs.readFile('/etc/passwd', (err, data) => {
if (err) throw err;
console.log(data);
});
// VIOLATION
fs.open('myfile', 'wx', (err, fd) => {
if (err) {
if (err.code === 'EEXIST') {
console.error('myfile already exists');
return;
}
throw err;
}
writeMyData(fd);
});
Fixed Code Sample
import * as fs from 'fs';
fs.open('myfile', 'wx', (err, fd) => {
if (err) {
if (err.code === 'EEXIST') {
console.error('myfile already exists');
return;
}
throw err;
}
writeMyData(fd);
fs.close(fd, function(error) {})
});
Reference
https://nodejs.org/api/fs.html
OMG CISQ Recommendation: ASCRM-CWE-772 and ASCSM-CWE-772
Related Technologies
Technical Criterion
CWE-775 - Missing Release of File Descriptor or Handle after Effective Lifetime
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.