Path Traversal occurs when untrusted input is incorporated into a file path without proper canonicalisation or validation. An adversary can exploit this by injecting traversal sequences (e.g., `../`) or crafted absolute paths to access files outside the intended directory. This can lead to disclosure of sensitive files (e.g., `/etc/passwd`), unauthorised file modification, or, under certain conditions, remote code execution. The issue applies both to traditional filesystems and cloud object storage (e.g., S3 keys).

Remediation

• Avoid constructing file paths directly from untrusted input wherever possible.
• Do not rely solely on substring checks such as searching for `../` — these are easily bypassed with encoding or nested traversal tricks.
• Canonicalise the file path (resolve symlinks, normalise encoding, collapse relative segments) and verify that it resides within the expected directory prefix.
• Apply strict allow-lists for permitted filenames or extensions rather than attempting to sanitise arbitrary input.
• Run file-accessing code with the principle of least privilege; ensure the process has no access to sensitive system paths.