CWE-22 Path Traversal
Coverage: 30 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 30 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow detected a path construction pattern where untrusted input may control what file is read or written.
Why it matters
- Read bugs become data leaks (configs, keys, internal files).
- Write bugs can become code execution (overwriting scripts/configs in unsafe deployments).
- Path traversal is frequently exploitable with simple payloads like
../.
Safer examples
1) Map IDs to known files (instead of accepting paths)
const files = {
invoice: "/srv/reports/invoice.csv",
summary: "/srv/reports/summary.json",
};
const path = files[req.query.type] ?? files.summary;
2) Normalize + enforce a base directory
from pathlib import Path
base = Path("/srv/uploads").resolve()
candidate = (base / filename).resolve()
if base not in candidate.parents:
raise ValueError("Invalid path")
3) Validate file extensions only as an extra check
Extensions help but are not enough on their own. Prefer allowlists and base-dir enforcement.
How SiteShadow detects it (high level)
- Recognizes file/serve APIs combined with request-derived input.
- Flags traversal indicators when they appear in user-controlled path building.
References
- CWE-22: https://cwe.mitre.org/data/definitions/22.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.