Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.filesystem

Sanitize archive entry paths before writing

Archive extraction should not write entry names directly to the filesystem.

#Metadata

Rule ID
security.archive-path-traversal
Severity
high
Confidence
0.82
Languages
go, java, php, python, ruby, rust
Presets
recommended, security, strict
Stability
experimental
Applies to
block
Tags
archive, filesystem, path-traversal, rules-catalog, security

#Why it matters

Archive entries can contain traversal paths that overwrite files outside the intended extraction directory.

#Remediation

Normalize each entry path against a trusted extraction root and reject paths that escape it.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/shared/security.archive-path-traversal.rule.yaml.

Back to directoryOpen rule in repository