# Path Traversal
#### Tools recognizing this:
Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL
## What is Directory Traversal
Directory Traversal (also known as **Path Traversal** or **Path Manipulation**) is a common web security vulnerability that allows attackers to access restricted directories and execute unauthorized commands. This guide covers directory traversal attacks, examples, prevention methods, and how to fix path traversal vulnerabilities in different programming languages.
The vulnerability occurs when an application accepts user input to construct file paths without proper validation or sanitization.
The user input can potentially include malicious sequences that manipulate the file path to allow attacker unauthorized actions:
* Access files outside the intended directory
* Read sensitive system files
* Modify or delete critical files
* Execute malicious files
* Potentially gain access to the entire file system
## One Simple Example
Consider this classic example of file access:
{% code overflow="wrap" %}
```java
String filePath = baseDir + "/" + userInput;
File file = new File(filePath);
```
{% endcode %}
An attacker could provide this input:
`../../../etc/passwd`
The resulting path becomes:
/var/www/app/../../../etc/passwd
This allows the attacker to access the system's password file located at `/etc/passwd`, which is outside the intended directory structure.
## Real-world Occurrences of Path Traversal
#### Zoom Path Traversal Vulnerability (2020)
In 2020, Zoom had a critical [path traversal vulnerability](https://threatprotect.qualys.com/2020/06/05/zoom-path-traversal-into-remote-code-execution-vulnerabilities-cve-2020-6109cve-2020-6110/) in their messaging feature, that could allow attackers to execute arbitrary code on other meeting attendees' machines.
Impact: Potential remote code execution on users' systems.
#### Apache HTTP Server Path Traversal (2021)
A severe [path traversal vulnerability](https://www.cve.org/CVERecord?id=CVE-2021-41773) in Apache HTTP Server 2.4.49 allowed attackers to map URLs to files outside the expected document root.
Impact: Remote attackers could access files outside of the web root directory, potentially exposing sensitive information and in some case remote code execution. This issue is known to be exploited in the wild.
## Fixing Path Traversal
The most efficient way to fix a Path Traversal issue in your code is using proper input validation and path canonicalization.
Path canonicalization ensures that file paths are converted to their simplest form, removing any relative path components. Input validation ensures that user-provided paths only contain allowed characters and patterns, preventing directory traversal attempts.
### Code Samples
{% tabs %}
{% tab title="Java" %}
**Vulnerable Code**
```java
String userInput = request.getParameter("fileName");
File file = new File(baseDir + "/" + userInput);
FileInputStream fis = new FileInputStream(file);
```
**Fixed Code**
```java
String userInput = request.getParameter("fileName");
File file = new File(baseDir, userInput).getCanonicalFile();
if (!file.getCanonicalPath().startsWith(new File(baseDir).getCanonicalPath())) {
throw new SecurityException("Invalid file path");
}
FileInputStream fis = new FileInputStream(file);
```
**Fix Explanation**
The vulnerable code directly concatenates user input into the file path.\
The fix uses getCanonicalFile() to resolve the actual path.\
Validates that the resolved path is within the intended base directory.\
Throws a security exception if path traversal is attempted.
{% endtab %}
{% tab title="JavaScript" %}
**Vulnerable Code**
```javascript
const filePath = path.join(baseDir, userInput);
fs.readFileSync(filePath);
```
**Fixed Code**
```javascript
const safePath = path.normalize(userInput).replace(/^(\.\.(\/|\\|$))+/, '');
const filePath = path.join(baseDir, safePath);
if (!filePath.startsWith(baseDir)) {
throw new Error('Invalid file path');
}
fs.readFileSync(filePath);
```
**Fix Explanation**
The vulnerable code directly joins user input with the base directory.\
The fix normalizes the path and removes any directory traversal sequences.\
Validates that the final path stays within the base directory.\
Throws an error if path traversal is attempted.
{% endtab %}
{% tab title="Python" %}
**Vulnerable Code**
```python
file_path = os.path.join(base_dir, user_input)
with open(file_path, 'r') as file:
content = file.read()
```
**Fixed Code**
```python
safe_path = os.path.normpath(user_input)
if safe_path.startswith('..'):
raise ValueError("Invalid file path")
file_path = os.path.join(base_dir, safe_path)
if not os.path.commonpath([file_path, base_dir]) == base_dir:
raise ValueError("Invalid file path")
with open(file_path, 'r') as file:
content = file.read()
```
**Fix Explanation**
The vulnerable code directly joins paths without validation.\
The fix normalizes the path and checks for traversal attempts.\
Uses commonpath to ensure the path stays within base directory.\
Raises an error if path traversal is detected.
{% endtab %}
{% tab title="C#" %}
**Vulnerable Code**
```csharp
string filePath = Path.Combine(baseDir, userInput);
string content = File.ReadAllText(filePath);
```
**Fixed Code**
```csharp
string safePath = Path.GetFullPath(Path.Combine(baseDir, userInput));
if (!safePath.StartsWith(Path.GetFullPath(baseDir), StringComparison.OrdinalIgnoreCase))
{
throw new SecurityException("Invalid file path");
}
string content = File.ReadAllText(safePath);
```
**Fix Explanation**
The vulnerable code combines paths without validation.\
The fix uses GetFullPath to resolve the actual path.\
Validates that the path stays within the base directory.\
Uses case-insensitive comparison for Windows compatibility.
{% endtab %}
{% tab title="PHP" %}
**Vulnerable Code**
```php
$file_path = $base_dir . '/' . $_GET['file'];
$content = file_get_contents($file_path);
```
**Fixed Code**
```php
$user_input = basename($_GET['file']);
$file_path = realpath($base_dir . '/' . $user_input);
if ($file_path === false || !str_starts_with($file_path, realpath($base_dir))) {
throw new Exception('Invalid file path');
}
$content = file_get_contents($file_path);
```
**Fix Explanation**
The vulnerable code directly concatenates user input.\
The fix uses basename to remove directory components.\
Uses realpath to resolve the actual path.\
Validates that the path stays within base directory.
{% endtab %}
{% tab title="C/C++" %}
**Vulnerable Code**
```cpp
string filePath = baseDir + "/" + userInput;
ifstream file(filePath);
string content((istreambuf_iterator(file)), {});
```
**Fixed Code**
```cpp
filesystem::path safePath = filesystem::absolute(baseDir / userInput);
if (!filesystem::equivalent(safePath.parent_path(), baseDir)) {
throw runtime_error("Invalid file path");
}
ifstream file(safePath);
string content((istreambuf_iterator(file)), {});
```
**Fix Explanation**
The vulnerable code directly concatenates paths.\
The fix uses filesystem::path for safe path handling.\
Validates that the parent path matches the base directory.\
Throws an error if path traversal is detected.
{% endtab %}
{% endtabs %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.mobb.ai/mobb-user-docs/fixing-guides/directory-traversal-fix-guide.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.