Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
new URL(`${textUriBase}/${resourceId}`);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get("/sse", async (req, res) => {Add authentication middleware to all routes that access or modify data.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const entries = await fs.readdir(currentPath, {withFileTypes: true});Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
Direct usage of child_process module methods with variable arguments may allow command injection.
import { spawn } from 'child_process';Use execFile with explicit argument arrays instead of child_process with string commands.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
new URL(`${blobUriBase}/${resourceId}`);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const response = await fetch(url, { signal: controller.signal });Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post("/message", async (req, res) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post("/mcp", async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get("/mcp", async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.delete("/mcp", async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(path.join(testDir, 'src'));
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(path.join(testDir, 'node_modules'));
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(path.join(testDir, '.git'));
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(path.join(testDir, 'nested', 'node_modules'), { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(path.join(testDir, '.env'), 'SECRET=value');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(path.join(testDir, '.env.local'), 'LOCAL_SECRET=value');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(path.join(testDir, 'src', 'index.js'), 'console.log("hello");');Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(path.join(testDir, 'package.json'), '{}');Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(path.join(testDir, 'node_modules', 'module.js'), 'module.exports = {};');Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(path.join(testDir, 'nested', 'node_modules', 'deep.js'), 'module.exports = {};');Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
Using path.join or path.resolve with variables from user input without validation can lead to directory traversal.
: path.resolve('/home/user', relativePath);Sanitize user input before passing to path.join/resolve. Use path.normalize() and check for '..' sequences.
Direct access to sensitive files like /etc/passwd, /etc/shadow, or SSH keys indicates potential data exfiltration.
const testPath = process.platform === 'win32' ? 'C:\\Windows\\System32\\file.txt' : '/etc/passwd';
Remove direct references to sensitive system files. Use a restricted file access layer.
Paths containing '../' sequences can escape intended directories and access arbitrary files on the filesystem.
expect(isPathWithinAllowedDirectories('/home/user/project/../../../etc/passwd', allowed)).toBe(false);Validate and sanitize file paths. Use path.resolve() with a base directory and verify the result stays within the allowed root.
Direct access to sensitive files like /etc/passwd, /etc/shadow, or SSH keys indicates potential data exfiltration.
expect(isPathWithinAllowedDirectories('/etc/passwd', allowed)).toBe(false);Remove direct references to sensitive system files. Use a restricted file access layer.
Direct access to sensitive files like /etc/passwd, /etc/shadow, or SSH keys indicates potential data exfiltration.
expect(isPathWithinAllowedDirectories('/etc/passwd', allowed)).toBe(true);Remove direct references to sensitive system files. Use a restricted file access layer.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetFile, 'test');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(allowedDir, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(forbiddenDir, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetPath, 'content');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(path.dirname(newFilePath), { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetFile, 'TARGET_CONTENT');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(actualTargetDir, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetFile, 'FILE_CONTENT');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(actualTargetDir, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetFile, 'FILE_CONTENT');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(actualTarget, 'FINAL_CONTENT');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(allowedDir, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(forbiddenDir, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetFile, 'ORIGINAL CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(testPath, 'MODIFIED CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const targetContent = await fs.readFile(targetFile, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(testPath, 'NEW CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const targetContent = await fs.readFile(targetFile, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(path.join(sub1Path, 'sub2'), { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(deepPath, 'CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetFile, 'ORIGINAL CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
fs.writeFile(racePath, 'NEW CONTENT', { encoding: 'utf-8', flag: 'wx' })Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const targetContent = await fs.readFile(targetFile, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(legitFile, 'ORIGINAL', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const content = await fs.readFile(legitFile, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetFile, 'TARGET CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const symlinkContent = await fs.readFile(symlinkPath, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const targetContent = await fs.readFile(targetFile, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(legitFile, 'LEGIT CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(targetFile, 'FORBIDDEN CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.unlink(legitFile);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const targetContent = await fs.readFile(targetFile, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(legitFile, 'PUBLIC CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(secretFile, 'SECRET CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.unlink(legitFile);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const content = await fs.readFile(legitFile, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(forbiddenTarget, 'ORIGINAL CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(tempFile, 'NEW CONTENT', 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const targetContent = await fs.readFile(targetSymlink, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const forbiddenContent = await fs.readFile(forbiddenTarget, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(accessibleDir, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(accessibleDir2, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(filePath, 'content');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(path.join(testDir, 'test.txt'), 'test content');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(path.join(testDir, 'subdir'));
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(path.join(testDir, 'subdir', 'nested.txt'), 'nested content');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.mkdir(validPath, { recursive: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const entries = await fs.readdir(validPath, { withFileTypes: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const entries = await fs.readdir(validPath, { withFileTypes: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const entries = await fs.readdir(validPath, { withFileTypes: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
return await fs.readFile(filePath, encoding as BufferEncoding);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(filePath, content, { encoding: "utf-8", flag: 'wx' });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(tempPath, content, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.unlink(tempPath);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const content = normalizeLineEndings(await fs.readFile(filePath, 'utf-8'));
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(tempPath, modifiedContent, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.unlink(tempPath);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const entries = await fs.readdir(currentPath, { withFileTypes: true });Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.unlink(oldMemoryPath);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.unlink(newMemoryPath);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(oldMemoryPath, '{"test":"data"}');Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(oldMemoryPath, '{"old":"data"}');Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(newMemoryPath, '{"new":"data"}');Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(oldMemoryPath, testContent);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const migratedContent = await fs.readFile(newMemoryPath, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.unlink(testFilePath);
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const fileContent = await fs.readFile(testFilePath, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const fileContent = await fs.readFile(testFilePath, 'utf-8');
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const data = await fs.readFile(this.memoryFilePath, "utf-8");
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(this.memoryFilePath, lines.join("\n"));Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.