Critiq Docs
Get started
security.execution

Constrain module-loading trust boundaries

`require()` and dynamic `import()` should not resolve modules from untrusted input.

#Metadata

Rule ID
ts.security.import-using-user-input
Severity
high
Confidence
0.92
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
execution, module-loading, rules-catalog, security

#Why it matters

Untrusted module paths let attackers steer module-loading boundaries toward unintended files, packages, or plugins.

#Remediation

Resolve modules from a fixed allowlist or explicit dispatcher instead of untrusted request or event data.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.import-using-user-input.rule.yaml.

Back to registryOpen rule in repository