Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is Directory Traversal
  • One Simple Example
  • Real-world Occurrences of Path Traversal
  • Fixing Path Traversal
  • Code Samples

Was this helpful?

  1. Fixing Guides

Path Traversal

Learn how to prevent directory traversal attacks with examples, cheat sheets, and best practices. Protect your web server from path traversal vulnerabilities and security threats.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Directory Traversal

Directory Traversal (also known as Path Traversal or Path Manipulation) is a common web security vulnerability that allows attackers to access restricted directories and execute unauthorized commands. This guide covers directory traversal attacks, examples, prevention methods, and how to fix path traversal vulnerabilities in different programming languages.

The vulnerability occurs when an application accepts user input to construct file paths without proper validation or sanitization.

The user input can potentially include malicious sequences that manipulate the file path to allow attacker unauthorized actions:

  • Access files outside the intended directory

  • Read sensitive system files

  • Modify or delete critical files

  • Execute malicious files

  • Potentially gain access to the entire file system

One Simple Example

Consider this classic example of file access:

String filePath = baseDir + "/" + userInput;
File file = new File(filePath);

An attacker could provide this input:

../../../etc/passwd

The resulting path becomes:

/var/www/app/../../../etc/passwd

This allows the attacker to access the system's password file located at /etc/passwd, which is outside the intended directory structure.

Real-world Occurrences of Path Traversal

Zoom Path Traversal Vulnerability (2020)

Impact: Potential remote code execution on users' systems.

Apache HTTP Server Path Traversal (2021)

Impact: Remote attackers could access files outside of the web root directory, potentially exposing sensitive information and in some case remote code execution. This issue is known to be exploited in the wild.

Fixing Path Traversal

The most efficient way to fix a Path Traversal issue in your code is using proper input validation and path canonicalization.

Path canonicalization ensures that file paths are converted to their simplest form, removing any relative path components. Input validation ensures that user-provided paths only contain allowed characters and patterns, preventing directory traversal attempts.

Code Samples

Vulnerable Code

String userInput = request.getParameter("fileName");
File file = new File(baseDir + "/" + userInput);
FileInputStream fis = new FileInputStream(file);

Fixed Code

String userInput = request.getParameter("fileName");
File file = new File(baseDir, userInput).getCanonicalFile();
if (!file.getCanonicalPath().startsWith(new File(baseDir).getCanonicalPath())) {
    throw new SecurityException("Invalid file path");
}
FileInputStream fis = new FileInputStream(file);

Fix Explanation

The vulnerable code directly concatenates user input into the file path. The fix uses getCanonicalFile() to resolve the actual path. Validates that the resolved path is within the intended base directory. Throws a security exception if path traversal is attempted.

Vulnerable Code

const filePath = path.join(baseDir, userInput);
fs.readFileSync(filePath);

Fixed Code

const safePath = path.normalize(userInput).replace(/^(\.\.(\/|\\|$))+/, '');
const filePath = path.join(baseDir, safePath);
if (!filePath.startsWith(baseDir)) {
    throw new Error('Invalid file path');
}
fs.readFileSync(filePath);

Fix Explanation

The vulnerable code directly joins user input with the base directory. The fix normalizes the path and removes any directory traversal sequences. Validates that the final path stays within the base directory. Throws an error if path traversal is attempted.

Vulnerable Code

file_path = os.path.join(base_dir, user_input)
with open(file_path, 'r') as file:
    content = file.read()

Fixed Code

safe_path = os.path.normpath(user_input)
if safe_path.startswith('..'):
    raise ValueError("Invalid file path")
file_path = os.path.join(base_dir, safe_path)
if not os.path.commonpath([file_path, base_dir]) == base_dir:
    raise ValueError("Invalid file path")
with open(file_path, 'r') as file:
    content = file.read()

Fix Explanation

The vulnerable code directly joins paths without validation. The fix normalizes the path and checks for traversal attempts. Uses commonpath to ensure the path stays within base directory. Raises an error if path traversal is detected.

Vulnerable Code

string filePath = Path.Combine(baseDir, userInput);
string content = File.ReadAllText(filePath);

Fixed Code

string safePath = Path.GetFullPath(Path.Combine(baseDir, userInput));
if (!safePath.StartsWith(Path.GetFullPath(baseDir), StringComparison.OrdinalIgnoreCase))
{
    throw new SecurityException("Invalid file path");
}
string content = File.ReadAllText(safePath);

Fix Explanation

The vulnerable code combines paths without validation. The fix uses GetFullPath to resolve the actual path. Validates that the path stays within the base directory. Uses case-insensitive comparison for Windows compatibility.

Vulnerable Code

$file_path = $base_dir . '/' . $_GET['file'];
$content = file_get_contents($file_path);

Fixed Code

$user_input = basename($_GET['file']);
$file_path = realpath($base_dir . '/' . $user_input);
if ($file_path === false || !str_starts_with($file_path, realpath($base_dir))) {
    throw new Exception('Invalid file path');
}
$content = file_get_contents($file_path);

Fix Explanation

The vulnerable code directly concatenates user input. The fix uses basename to remove directory components. Uses realpath to resolve the actual path. Validates that the path stays within base directory.

Vulnerable Code

string filePath = baseDir + "/" + userInput;
ifstream file(filePath);
string content((istreambuf_iterator<char>(file)), {});

Fixed Code

filesystem::path safePath = filesystem::absolute(baseDir / userInput);
if (!filesystem::equivalent(safePath.parent_path(), baseDir)) {
    throw runtime_error("Invalid file path");
}
ifstream file(safePath);
string content((istreambuf_iterator<char>(file)), {});

Fix Explanation

The vulnerable code directly concatenates paths. The fix uses filesystem::path for safe path handling. Validates that the parent path matches the base directory. Throws an error if path traversal is detected.

PreviousSQL InjectionNextLog Forging

Last updated 2 months ago

Was this helpful?

In 2020, Zoom had a critical in their messaging feature, that could allow attackers to execute arbitrary code on other meeting attendees' machines.

A severe in Apache HTTP Server 2.4.49 allowed attackers to map URLs to files outside the expected document root.

path traversal vulnerability
path traversal vulnerability