CWE-36 Absolute Path Traversal
Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.
What this means
SiteShadow flagged code where untrusted input can influence an absolute file path (e.g., /etc/passwd, C:\Windows\...) rather than being constrained to an expected directory.
Why it matters
Absolute path access can expose sensitive files or system data.
- Direct file disclosure: configs, keys, service credentials, environment files.
- Unexpected file access: reading from system directories or other tenants' data.
- If writes are possible, this can become a path to code execution.
Safer examples
1) Reject absolute paths outright
If an input should be a filename, reject values that are absolute paths.
2) Enforce a base directory (normalize + check)
from pathlib import Path
base = Path("/srv/uploads").resolve()
candidate = (base / filename).resolve()
if base not in candidate.parents:
raise ValueError("Invalid path")
3) Prefer IDs over paths
Accept a file ID and map it to a server-known path.
How SiteShadow detects it (high level)
- Flags file API usage where a path comes from untrusted input.
- Recognizes absolute-path indicators (
/, drive letters) in user-controlled contexts.
References
- CWE-36: https://cwe.mitre.org/data/definitions/36.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.