RSTR-PTH-004 — literal ../../ in source

Summary

A literal '../../' (or longer) string appears inside source code. Most of the time this is build-tool plumbing or test-fixture pathing — not a vulnerability — but it is also exactly the shape of a hard-coded directory-traversal payload, so the rule flags it for review.

Severity

Info. This is a flag-for-review, not a confirmed bug.

Languages

All scanned languages — Python, JS/TS, Go, Rust, Java, Kotlin, Ruby, PHP.

What rastray flags

ROOT = '../../config/settings.yaml'        # ← flagged

import x from '../../shared/util';          // ← rule excludes import statements; not flagged

The rule does exclude import / require / from … import … specifiers, and does exclude lines that are recognisably module imports. It fires on the remaining cases where the ../../ is in an expression context.

What rastray deliberately does not flag

• import 'pkg/../../sub' (module specifiers).
• TypeScript path mapping in tsconfig.json paths.

How to fix it

If the ../../ is intentional (build-time path, test fixture), keep it and suppress the finding with a comment that documents why:

# rastray-ignore: RSTR-PTH-004 — fixture lives outside the package
ROOT = '../../tests/fixtures/sample.json'

If the literal is in fact concatenated into a path that takes attacker input downstream, refactor to a real allow-list of file roots and use os.path.realpath to confirm the resolution stays inside.

References

• CWE-22
• OWASP Path Traversal