# Path Traversal in File Operations

- ID: javascript-path-traversal
- Severity: CRITICAL
- CWE: Path Traversal (CWE-22)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs, lambda, serverless, graphql

## Description

Detects untrusted user input used in file system operations without proper validation.
This can allow attackers to read or write arbitrary files on the server.

## Detection Message

User-controlled path from {source} is used in file operation at {sink} without proper sanitization.
This can lead to unauthorized file access (path traversal attack).

## Remediation

Use path.basename() to extract filenames or validate resolved paths stay within allowed directories.

```javascript
const safeName = path.basename(userInput);
const filePath = path.join(__dirname, 'uploads', safeName);
fs.readFile(filePath, callback);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-22/path-traversal

## Documentation

[object Object]

## Related Rules

- **Path Traversal via File Operations** [HIGH]: 
- **Zip Slip / Path Traversal in Archive** [HIGH]: 
- **Zip Slip Path Traversal** [HIGH]: 
- **Path Traversal / Directory Traversal** [HIGH]: 
- **Zip Slip / Archive Path Traversal** [HIGH]: