CWE-59 Link Following
Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.
What this means
SiteShadow flagged file operations that follow links (symlinks/hardlinks/shortcuts) in a way that can bypass the intended target. The app thinks it's reading/writing "a safe file," but the link points elsewhere.
Why it matters
Link following can redirect access to unintended targets.
- Read leaks: a link can point to secrets/configs.
- Write exploits: a link can redirect writes into sensitive locations.
- Often shows up in temp-file, upload, and "write then move" flows.
Safer examples
1) Don't follow links for untrusted paths
Use platform-safe APIs/flags to refuse symlinks where possible (exact API varies).
2) Use atomic, safe file creation patterns
Prefer secure temp file helpers rather than manual naming.
3) Validate final resolved path is under a base directory
Resolve the path and enforce that it stays inside your intended directory (see CWE-23 / CWE-36 / CWE-61).
How SiteShadow detects it (high level)
- Looks for file operations in untrusted contexts that do not guard against link following.
- Flags patterns commonly used in TOCTOU/link-following exploits.
References
- CWE-59: https://cwe.mitre.org/data/definitions/59.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.