Critiq Docs
Get started
security.filesystem

Avoid attacker-controlled filesystem read paths

Direct filesystem read APIs should not consume request- or upload-controlled filenames.

#Metadata

Rule ID
ts.security.non-literal-fs-filename
Severity
high
Confidence
0.9
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
filesystem, path-traversal, rules-catalog, security

#Why it matters

Dynamic read paths can expose unintended local files or bypass expected file-selection constraints.

#Remediation

Resolve reads from a trusted allowlist or a validated server-controlled mapping instead of external filenames.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.non-literal-fs-filename.rule.yaml.

Back to registryOpen rule in repository