CWE-23 Relative Path Traversal
What this means
SiteShadow flagged a file path influenced by untrusted input where ../ (or similar) could be used to escape an intended directory.
Why it matters
- Read exposure: attackers can read server files like configs and secrets.
- Write exposure: some flows allow overwriting files (leading to code execution in bad deployments).
- It often pairs with download/export endpoints and file serving helpers.
Safer examples
1) Use allowlists (best default)
const allowed = new Set(["report.csv", "summary.json"]);
const name = allowed.has(req.query.name) ? req.query.name : "summary.json";2) Normalize and enforce a base directory
from pathlib import Path
base = Path("/srv/reports").resolve()
candidate = (base / user_path).resolve()
if base not in candidate.parents:
raise ValueError("Invalid path")3) Don't accept file paths when an ID will do
Accept an ID, look up the file server-side, and never expose filesystem paths to clients.
How SiteShadow detects it (high level)
- Detects file APIs combined with request-derived input.
- Flags traversal indicators (
../,..\\) and missing base-dir enforcement patterns.
References
- CWE-23: https://cwe.mitre.org/data/definitions/23.html
---