id: generic-path-traversal

info:
  name: Generic - Path Traversal
  author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
  severity: info
  description: Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
  tags: file,nodejs
file:
  - extensions:
      - all
    matchers:
      - type: regex
        regex:
          - "[^\\.]*\\.createReadStream\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
          - "[^\\.]*\\.readFile\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
          - "[^\\.]*\\.readFileSync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
          - "[^\\.]*\\.readFileAsync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
        condition: or
# digest: 490a00463044022077a05bec4a7bab41f89e41a82dc9ec945191bc1bd30dddd8f214a5b2eb1e00b902200df3a1bd784aecc8d34e62e7cc01161524651c15b790ae0475a99881bc01c272:922c64590222798bb761d5b6d8e72950