Avoid request-driven array indexing without bounds checks | Critiq Docs

#Metadata

Rule ID: ts.security.request-driven-array-index-access
Severity: medium
Confidence: 0.72
Languages: javascript, typescript
Presets: security, strict
Stability: stable
Applies to: block
Tags: correctness, rules-catalog, security

#Why it matters

Attacker-controlled indexes bypass assumptions about array length and element initialization.

#Remediation

Parse and bound-check indexes, prefer maps keyed by stable identifiers, or avoid indexing arrays with request data.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.request-driven-array-index-access.rule.yaml.

Back to directory Open rule in repository