{
  "id": "S036",
  "name": "Use internal data for file paths, validate user filenames strictly",
  "category": "security",
  "description": "Prevent path traversal, LFI, RFI, and SSRF attacks by using internally generated file paths instead of user-submitted filenames. When user input is unavoidable, apply strict validation with allowlists.",
  "severity": "error",
  "enabled": true,
  "patterns": {
    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx", "**/*.php", "**/*.py"],
    "exclude": [
      "**/*.test.*",
      "**/*.spec.*",
      "__tests__/**",
      "__mocks__/**",
      "**/node_modules/**",
      "**/dist/**",
      "**/build/**"
    ]
  }
}
