react-doctor/path-traversal-risk

Building a filesystem path from request input lets an attacker use `..` or absolute paths to read or write files outside the intended directory.

• Category: Security
• Severity: warn
• Source: oxlint-plugin-react-doctor
• Framework: global
• Enabled when: production source files (.js/.ts/.jsx/.tsx, etc.); test/build/doc/generated and dev-tooling paths (`tools/`, `scripts/`, `management/commands/`, build/gulpfile/gruntfile) skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires when readFile/readFileSync/writeFile/writeFileSync( takes a first argument that is — or a template literal containing — request data (req./request./params./query./body./parsed.), or when path.join(/path.resolve( includes one of those accessors. A negative lookbehind keeps a literal filename segment like 'render-query.js' (the query. inside a string) from matching, and comments are stripped first. FALSE POSITIVE: the request value is already validated/normalized against a fixed base directory (basename-only, traversal rejected) before the fs/path call — the static check sees the accessor but not the upstream sanitization — or the matched req./query. is a property of a non-request object that happens to share the name.

Fix prompt

Use this once validation confirms the diagnostic is real.

Map user-visible identifiers to server-owned paths (look up an allowlisted filename by id) instead of joining caller input directly. When a path must come from input, take only path.basename(...), then path.resolve(BASE, input) and confirm the result still starts with BASE so .. or absolute paths cannot escape. Never pass req, params, query, or body data into fs calls unchecked.