Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.filesystem

Harden Fiber multipart uploads

Fiber upload helpers should enforce size limits and never persist client-controlled filenames without normalization.

#Metadata

Rule ID
go.security.fiber-unsafe-multipart-upload
Severity
high
Confidence
0.76
Languages
go
Presets
security, strict
Stability
experimental
Applies to
block
Tags
fiber, go, rules-catalog, security

#Why it matters

`FormFile`/`SaveFile` flows that concatenate `Filename` into paths or skip `filepath.Base` are a common path traversal and storage abuse vector.

#Remediation

Apply `filepath.Base`, cap reader sizes, allowlist extensions, and store uploads using server-generated object keys.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.fiber-unsafe-multipart-upload.rule.yaml.

Back to directoryOpen rule in repository