Check that pathtraversal checks are filesystem calls (!183) · Merge requests · GitLab.org / security-products / sast-rules · GitLab

Niklas Volcz requested to merge niklas.volcz/sast-rules:main into main Jun 22, 2023

It seems that when the eslint rules where converted into Semgrep rules the code for making sure that it only detected filesystems calls got lost. Rule as eslint: https://github.com/eslint-community/eslint-plugin-security/blob/main/rules/detect-non-literal-fs-filename.js This causes a lot of false positive detections since function names like "open" is very common outside filesystem operations. gitlab-org/gitlab#364150 (closed)