Critiq Docs
Get started
security.input-validation

Validate untrusted input before parser construction

Untrusted input should be validated before it is used to construct sensitive parsers or runtime objects.

#Metadata

Rule ID
ts.security.unvalidated-external-input
Severity
medium
Confidence
0.8
Languages
javascript, typescript
Presets
security, strict
Stability
stable
Applies to
block
Tags
crq-sec-027, input-validation, rules-catalog, security

#Why it matters

Passing untrusted text across regex or URL construction boundaries increases the risk of parser abuse, denial of service, and downstream policy bypass.

#Remediation

Validate, sanitize, or normalize the untrusted value before passing it into URL, RegExp, or similarly sensitive constructors.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.unvalidated-external-input.rule.yaml.

Back to registryOpen rule in repository