Critiq Docs
Get started
security.filesystem

Constrain `res.sendFile` to a trusted root

`res.sendFile()` should not resolve filenames or options from request input without a trusted root.

#Metadata

Rule ID
ts.security.user-controlled-sendfile
Severity
high
Confidence
0.92
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
express, filesystem, rules-catalog, security

#Why it matters

Request-controlled file responses are a common path to path traversal and unintended local file disclosure.

#Remediation

Resolve files from an allowlisted directory and validate request input before it reaches `res.sendFile()`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.user-controlled-sendfile.rule.yaml.

Back to registryOpen rule in repository