Path Traversal
Description
The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Examples
Insecure Code
scala
val path = request.getParameter("path") + "/file.txt"; val file = new File(path)Secure Code
scala
val path = new File(request.getParameter("path")).getCanonicalPath(); if (path.startsWith("/allowed/directory/")) { val file = new File(path) }Remediation
Validate and sanitize user input to prevent path traversal attacks. Use methods like `java.io.File.getCanonicalPath()` to get the absolute path and check if it's within the allowed directory.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0053 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | path traversal, injection |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |