Check that pathtraversal checks are filesystem calls
It seems that when the eslint rules where converted into Semgrep rules the code for making sure that it only detected filesystems calls got lost. Rule as eslint: https://github.com/eslint-community/eslint-plugin-security/blob/main/rules/detect-non-literal-fs-filename.js This causes a lot of false positive detections since function names like "open" is very common outside filesystem operations. gitlab-org/gitlab#364150 (closed)