Backend safety

no-path-traversal

Flag `fs.readFile` / `path.join` / `res.sendFile` with request-sourced input (CWE-22).

Filesystem and path-building functions invoked with `req.query.file` / `req.params.path` are an arbitrary-file-read vector unless the resolved path is constrained to an allowlisted root. Recognises Express's `{ root }` second-arg option as the safe pattern.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

res.sendFile(req.query.name);

Good:

res.sendFile(req.query.name, { root: FILES_DIR });

Related rules

• no-ssrfFlag outbound HTTP calls whose URL is derived from request input (CWE-918).
• safe-redirectFlag redirects derived from request input (open redirect / phishing path).
• no-shell-injectionFlag `child_process.exec` / `spawn({ shell: true })` with a dynamic command string.

Use it

Enable no-path-traversal in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-path-traversal': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules