Critiq Docs
Get started
security.filesystem

Path traversal via user input

File access calls must not use request-controlled paths directly.

#Metadata

Rule ID
security.no-request-path-file-read
Severity
high
Confidence
0.85
Languages
go, java, javascript, php, python, ruby, rust, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
filesystem, path-traversal, rules-catalog, security

#Why it matters

User-controlled paths can escape the intended directory and expose sensitive files.

#Remediation

Resolve the path against a trusted base directory and reject values that escape it.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/shared/security.no-request-path-file-read.rule.yaml.

Back to registryOpen rule in repository