SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-23 Relative Path Traversal

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged a file path influenced by untrusted input where ../ (or similar) could be used to escape an intended directory.

Why it matters

Safer examples

1) Use allowlists (best default)

const allowed = new Set(["report.csv", "summary.json"]);
const name = allowed.has(req.query.name) ? req.query.name : "summary.json";

2) Normalize and enforce a base directory

from pathlib import Path

base = Path("/srv/reports").resolve()
candidate = (base / user_path).resolve()
if base not in candidate.parents:
    raise ValueError("Invalid path")

3) Don't accept file paths when an ID will do

Accept an ID, look up the file server-side, and never expose filesystem paths to clients.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.