ast/path-traversal-fs

Path traversal: fs API called with user-controlled path

criticalASTpath-traversalCWE-22 ↗js · ts

What it detects

A Node.js fs.* call receives a path argument that is, or is derived from, a value sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. Even when wrapped in path.join(__dirname, ...), the user-controlled segment can include `../` and escape the intended directory. Use a strict allow-list of filenames or join with a sanitised basename instead.

How it runs

Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.