SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-36 Absolute Path Traversal

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged code where untrusted input can influence an absolute file path (e.g., /etc/passwd, C:\Windows\...) rather than being constrained to an expected directory.

Why it matters

Absolute path access can expose sensitive files or system data.

Safer examples

1) Reject absolute paths outright

If an input should be a filename, reject values that are absolute paths.

2) Enforce a base directory (normalize + check)

from pathlib import Path

base = Path("/srv/uploads").resolve()
candidate = (base / filename).resolve()
if base not in candidate.parents:
    raise ValueError("Invalid path")

3) Prefer IDs over paths

Accept a file ID and map it to a server-known path.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.