Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.path-traversal

Avoid request-controlled Express static mount paths

The path prefix for express.static should not be derived directly from request objects.

#Metadata

Rule ID
ts.security.express-user-controlled-static-mount
Severity
high
Confidence
0.8
Languages
javascript, typescript
Presets
security, strict
Stability
stable
Applies to
block
Tags
express, path, rules-catalog, security

#Why it matters

User-controlled mount paths can collapse routing assumptions and expose unintended directories.

#Remediation

Use fixed, reviewed path prefixes and map external identifiers to internal paths through an allowlist.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.express-user-controlled-static-mount.rule.yaml.

Back to directoryOpen rule in repository