No OS-specific absolute paths in source

Why it matters

An OS-specific absolute path hardcoded in source is a machine-identity leak (CWE-426: Untrusted Search Path) and a guaranteed deployment failure: /Users/dev/project/data/seed.json works on one laptop and nowhere else — not in CI, not in Docker, not on a teammate's machine. The taxon operational-readiness frames this correctly: the code was never tested outside the original development environment. AI models frequently emit absolute paths because they pattern-match on the developer's stated project location during the session, then embed that path literally into file reads, seed scripts, and config loaders.

Remediation

Replace every hardcoded absolute path with a runtime-relative path using path.join() and __dirname or import.meta.url.

// Bad — only resolves on the original developer's machine
const data = require('/Users/dev/project/data/seed.json')

// Good — resolves relative to the module file at runtime, everywhere
import path from 'node:path'
import { fileURLToPath } from 'node:url'
import fs from 'node:fs'

const __dirname = path.dirname(fileURLToPath(import.meta.url))
const data = JSON.parse(
  fs.readFileSync(path.join(__dirname, '../data/seed.json'), 'utf8')
)

For Next.js projects, process.cwd() resolves to the project root in both dev and production. For Bun or Node scripts, use import.meta.dir (Bun) or __dirname (CommonJS) / fileURLToPath(import.meta.url) (ESM).

Detection

ID: ai-slop-hallucinations.asset-references.os-specific-paths-absent
Severity: medium
What to look for: Walk source files under src/, app/, lib/, server/, pages/, api/, worker/, components/, hooks/, utils/. For each file, search for string literals matching these regex patterns: /Users/[^"'\\s]+, /home/[^"'\\s]+, ^[A-Z]:\\\\ (Windows drive paths in source), C:/Users/, /tmp/[^"'\\s]+(?<!_) (allow tmpdir patterns), /var/folders/. EXCLUDE **/*.test.*, **/*.spec.*, **/__tests__/**, **/__fixtures__/**, **/*.md, **/*.mdx, **/*.json, **/*.snap. EXCLUDE any line that contains // auditbuffet:ignore-path-check as a comment. Count all source files scanned, total occurrences of OS-specific paths.
Pass criteria: 0 source files contain literal OS-specific absolute paths. Report: "X source files scanned, 0 OS-specific paths found."
Fail criteria: At least 1 source file contains a literal OS-specific path.
Skip (N/A) when: Project has 0 source files matching the analyzed extensions (empty source tree).
Detail on fail: "2 OS-specific paths in source: '/Users/dev/project/data/seed.json' in src/lib/seed.ts, 'C:\\\\Users\\\\dev\\\\config.json' in src/config.ts"

Remediation: OS-specific absolute paths break the moment the code runs on a different machine, in CI, or in a Docker container. Use path.join() and __dirname / import.meta.url instead:

// Bad: only works on the original developer's laptop
const seed = require('/Users/dev/project/data/seed.json')

// Good: relative path resolved at runtime
import path from 'node:path'
import { fileURLToPath } from 'node:url'
const __dirname = path.dirname(fileURLToPath(import.meta.url))
const seed = JSON.parse(fs.readFileSync(path.join(__dirname, '../data/seed.json'), 'utf8'))

Why it matters

Remediation

Replace every hardcoded absolute path with a runtime-relative path using path.join() and __dirname or import.meta.url.

// Bad — only resolves on the original developer's machine
const data = require('/Users/dev/project/data/seed.json')

// Good — resolves relative to the module file at runtime, everywhere
import path from 'node:path'
import { fileURLToPath } from 'node:url'
import fs from 'node:fs'

const __dirname = path.dirname(fileURLToPath(import.meta.url))
const data = JSON.parse(
  fs.readFileSync(path.join(__dirname, '../data/seed.json'), 'utf8')
)

Detection

ID: ai-slop-hallucinations.asset-references.os-specific-paths-absent
Severity: medium
What to look for: Walk source files under src/, app/, lib/, server/, pages/, api/, worker/, components/, hooks/, utils/. For each file, search for string literals matching these regex patterns: /Users/[^"'\\s]+, /home/[^"'\\s]+, ^[A-Z]:\\\\ (Windows drive paths in source), C:/Users/, /tmp/[^"'\\s]+(?<!_) (allow tmpdir patterns), /var/folders/. EXCLUDE **/*.test.*, **/*.spec.*, **/__tests__/**, **/__fixtures__/**, **/*.md, **/*.mdx, **/*.json, **/*.snap. EXCLUDE any line that contains // auditbuffet:ignore-path-check as a comment. Count all source files scanned, total occurrences of OS-specific paths.
Pass criteria: 0 source files contain literal OS-specific absolute paths. Report: "X source files scanned, 0 OS-specific paths found."
Fail criteria: At least 1 source file contains a literal OS-specific path.
Skip (N/A) when: Project has 0 source files matching the analyzed extensions (empty source tree).
Detail on fail: "2 OS-specific paths in source: '/Users/dev/project/data/seed.json' in src/lib/seed.ts, 'C:\\\\Users\\\\dev\\\\config.json' in src/config.ts"

Remediation: OS-specific absolute paths break the moment the code runs on a different machine, in CI, or in a Docker container. Use path.join() and __dirname / import.meta.url instead:

// Bad: only works on the original developer's laptop
const seed = require('/Users/dev/project/data/seed.json')

// Good: relative path resolved at runtime
import path from 'node:path'
import { fileURLToPath } from 'node:url'
const __dirname = path.dirname(fileURLToPath(import.meta.url))
const seed = JSON.parse(fs.readFileSync(path.join(__dirname, '../data/seed.json'), 'utf8'))

No OS-specific absolute paths in source

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

No OS-specific absolute paths in source

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History