Do not persist upload filenames directly
Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.
#Metadata
#Why it matters
Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.
#Remediation
Generate a server-side filename or apply a strict allowlist before storing uploaded content.
#Repository path
The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.external-file-upload.rule.yaml.