← all rules
code/js-path-traversal
Path Traversal: fs read with user-controlled path
What it detects
fs.readFile/createReadStream with a user-derived path can read arbitrary files (../../etc/passwd). Resolve against a fixed root and verify with path.resolve + startsWith.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.