Path Traversal Vulnerability
Description
A file is opened to write to its contents. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files at an arbitrary filesystem location could be modified.
Examples
Insecure Code
scala
new java.io.FileWriter("/user-input/file.txt")Secure Code
scala
new java.io.FileWriter("/expected/path/" + FilenameUtils.getName("user-input/file.txt"))Remediation
Validate and sanitize input parameters to prevent path traversal attacks. Use a whitelist approach to only allow specific, expected file paths.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0051 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | path traversal, file inclusion |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |