Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.filesystem

Do not persist upload filenames directly

Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.

#Metadata

Rule ID
security.external-file-upload
Severity
high
Confidence
0.82
Languages
go, java, php, python, ruby, rust
Presets
recommended, security, strict
Stability
experimental
Applies to
block
Tags
filesystem, rules-catalog, security, upload

#Why it matters

Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.

#Remediation

Generate a server-side filename or apply a strict allowlist before storing uploaded content.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/shared/security.external-file-upload.rule.yaml.

Back to directoryOpen rule in repository