No OS-specific absolute paths in source

ab-000044 · ai-slop-hallucinations.asset-references.os-specific-paths-absent

Severity: mediumactive

Why it matters

An OS-specific absolute path hardcoded in source is a machine-identity leak (CWE-426: Untrusted Search Path) and a guaranteed deployment failure: /Users/dev/project/data/seed.json works on one laptop and nowhere else — not in CI, not in Docker, not on a teammate's machine. The taxon operational-readiness frames this correctly: the code was never tested outside the original development environment. AI models frequently emit absolute paths because they pattern-match on the developer's stated project location during the session, then embed that path literally into file reads, seed scripts, and config loaders.

Severity rationale

Medium because the broken path causes a hard runtime crash on any non-originating machine, but it does not expose data or enable unauthorized access.

Remediation

Replace every hardcoded absolute path with a runtime-relative path using path.join() and __dirname or import.meta.url.

// Bad — only resolves on the original developer's machine
const data = require('/Users/dev/project/data/seed.json')

// Good — resolves relative to the module file at runtime, everywhere
import path from 'node:path'
import { fileURLToPath } from 'node:url'
import fs from 'node:fs'

const __dirname = path.dirname(fileURLToPath(import.meta.url))
const data = JSON.parse(
  fs.readFileSync(path.join(__dirname, '../data/seed.json'), 'utf8')
)

For Next.js projects, process.cwd() resolves to the project root in both dev and production. For Bun or Node scripts, use import.meta.dir (Bun) or __dirname (CommonJS) / fileURLToPath(import.meta.url) (ESM).

Detection

ID: os-specific-paths-absent
Severity: medium
What to look for: Walk source files under src/, app/, lib/, server/, pages/, api/, worker/, components/, hooks/, utils/. For each file, search for string literals matching these regex patterns: /Users/[^"'\\s]+, /home/[^"'\\s]+, ^[A-Z]:\\\\ (Windows drive paths in source), C:/Users/, /tmp/[^"'\\s]+(?<!_) (allow tmpdir patterns), /var/folders/. EXCLUDE **/*.test.*, **/*.spec.*, **/__tests__/**, **/__fixtures__/**, **/*.md, **/*.mdx, **/*.json, **/*.snap. EXCLUDE any line that contains // auditbuffet:ignore-path-check as a comment. Count all source files scanned, total occurrences of OS-specific paths.
Pass criteria: 0 source files contain literal OS-specific absolute paths. Report: "X source files scanned, 0 OS-specific paths found."
Fail criteria: At least 1 source file contains a literal OS-specific path.
Skip (N/A) when: Project has 0 source files matching the analyzed extensions (empty source tree).
Detail on fail: "2 OS-specific paths in source: '/Users/dev/project/data/seed.json' in src/lib/seed.ts, 'C:\\\\Users\\\\dev\\\\config.json' in src/config.ts"

Remediation: OS-specific absolute paths break the moment the code runs on a different machine, in CI, or in a Docker container. Use path.join() and __dirname / import.meta.url instead:

// Bad: only works on the original developer's laptop
const seed = require('/Users/dev/project/data/seed.json')

// Good: relative path resolved at runtime
import path from 'node:path'
import { fileURLToPath } from 'node:url'
const __dirname = path.dirname(fileURLToPath(import.meta.url))
const seed = JSON.parse(fs.readFileSync(path.join(__dirname, '../data/seed.json'), 'utf8'))

External references

cwe · CWE-426 — Untrusted Search Path: hardcoded absolute paths on the developer's local machine create environment-dependent behavior

Taxons

operational-readiness

History

2026-04-18·v1.0.0·Initial import from ai-slop-hallucinations·automated

Why it matters

Remediation

Replace every hardcoded absolute path with a runtime-relative path using path.join() and __dirname or import.meta.url.

// Bad — only resolves on the original developer's machine
const data = require('/Users/dev/project/data/seed.json')

// Good — resolves relative to the module file at runtime, everywhere
import path from 'node:path'
import { fileURLToPath } from 'node:url'
import fs from 'node:fs'

const __dirname = path.dirname(fileURLToPath(import.meta.url))
const data = JSON.parse(
  fs.readFileSync(path.join(__dirname, '../data/seed.json'), 'utf8')
)

Detection

ID: os-specific-paths-absent
Severity: medium
What to look for: Walk source files under src/, app/, lib/, server/, pages/, api/, worker/, components/, hooks/, utils/. For each file, search for string literals matching these regex patterns: /Users/[^"'\\s]+, /home/[^"'\\s]+, ^[A-Z]:\\\\ (Windows drive paths in source), C:/Users/, /tmp/[^"'\\s]+(?<!_) (allow tmpdir patterns), /var/folders/. EXCLUDE **/*.test.*, **/*.spec.*, **/__tests__/**, **/__fixtures__/**, **/*.md, **/*.mdx, **/*.json, **/*.snap. EXCLUDE any line that contains // auditbuffet:ignore-path-check as a comment. Count all source files scanned, total occurrences of OS-specific paths.
Pass criteria: 0 source files contain literal OS-specific absolute paths. Report: "X source files scanned, 0 OS-specific paths found."
Fail criteria: At least 1 source file contains a literal OS-specific path.
Skip (N/A) when: Project has 0 source files matching the analyzed extensions (empty source tree).
Detail on fail: "2 OS-specific paths in source: '/Users/dev/project/data/seed.json' in src/lib/seed.ts, 'C:\\\\Users\\\\dev\\\\config.json' in src/config.ts"

Remediation: OS-specific absolute paths break the moment the code runs on a different machine, in CI, or in a Docker container. Use path.join() and __dirname / import.meta.url instead:

// Bad: only works on the original developer's laptop
const seed = require('/Users/dev/project/data/seed.json')

// Good: relative path resolved at runtime
import path from 'node:path'
import { fileURLToPath } from 'node:url'
const __dirname = path.dirname(fileURLToPath(import.meta.url))
const seed = JSON.parse(fs.readFileSync(path.join(__dirname, '../data/seed.json'), 'utf8'))