Critiq Docs
Get started
security.filesystem

Constrain local file generation paths

Local file writes should not derive their destination path from request or upload input.

#Metadata

Rule ID
ts.security.file-generation
Severity
high
Confidence
0.92
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
file-write, filesystem, rules-catalog, security

#Why it matters

Attacker-controlled write paths can overwrite local state, escape intended directories, or create files in sensitive locations.

#Remediation

Generate the destination name on the server or constrain writes to an allowlisted directory and filename set.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.file-generation.rule.yaml.

Back to registryOpen rule in repository