CWE-22 Path Traversal

What this means

SiteShadow detected a path construction pattern where untrusted input may control what file is read or written.

Why it matters

• Read bugs become data leaks (configs, keys, internal files).
• Write bugs can become code execution (overwriting scripts/configs in unsafe deployments).
• Path traversal is frequently exploitable with simple payloads like ../.

Safer examples

1) Map IDs to known files (instead of accepting paths)

const files = {
  invoice: "/srv/reports/invoice.csv",
  summary: "/srv/reports/summary.json",
};
const path = files[req.query.type] ?? files.summary;

2) Normalize + enforce a base directory

from pathlib import Path

base = Path("/srv/uploads").resolve()
candidate = (base / filename).resolve()
if base not in candidate.parents:
    raise ValueError("Invalid path")

3) Validate file extensions only as an extra check

Extensions help but are not enough on their own. Prefer allowlists and base-dir enforcement.

How SiteShadow detects it (high level)

• Recognizes file/serve APIs combined with request-derived input.
• Flags traversal indicators when they appear in user-controlled path building.

References

• CWE-22: https://cwe.mitre.org/data/definitions/22.html

---

← Back to Vulnerability Library