Path Traversal occurs when untrusted input is incorporated into a file path without proper canonicalisation or validation. An adversary can exploit this by injecting traversal sequences (e.g., `../`) or crafted absolute paths to access files outside the intended directory. This can lead to disclosure of sensitive files (e.g., `/etc/passwd`), unauthorised file modification, or, under certain conditions, remote code execution. The issue applies both to traditional filesystems and cloud object storage (e.g., S3 keys).
Remediation
Avoid constructing file paths directly from untrusted input wherever possible.
Do not rely solely on substring checks such as searching for `../` — these are easily bypassed with encoding or nested traversal tricks.
Canonicalise the file path (resolve symlinks, normalise encoding, collapse relative segments) and verify that it resides within the expected directory prefix.
Apply strict allow-lists for permitted filenames or extensions rather than attempting to sanitise arbitrary input.
Run file-accessing code with the principle of least privilege; ensure the process has no access to sensitive system paths.
Metadata
Severity: medium
Slug: path-traversal
CWEs
22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
41: Improper Resolution of Path Equivalence
23: Relative Path Traversal
36: Absolute Path Traversal
73: External Control of File Name or Path
OWASP
A03:2021: Injection
A01:2021: Broken Access Control
A05:2021: Security Misconfiguration
Available Labs
Open Ruby labs in SecDim Play for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
