CWE-36 Absolute Path Traversal

What this means

SiteShadow flagged code where untrusted input can influence an absolute file path (e.g., /etc/passwd, C:\Windows\...) rather than being constrained to an expected directory.

Why it matters

Absolute path access can expose sensitive files or system data.

Direct file disclosure: configs, keys, service credentials, environment files.
Unexpected file access: reading from system directories or other tenants' data.
If writes are possible, this can become a path to code execution.

Safer examples

1) Reject absolute paths outright

If an input should be a filename, reject values that are absolute paths.

2) Enforce a base directory (normalize + check)

from pathlib import Path

base = Path("/srv/uploads").resolve()
candidate = (base / filename).resolve()
if base not in candidate.parents:
    raise ValueError("Invalid path")

3) Prefer IDs over paths

Accept a file ID and map it to a server-known path.

How SiteShadow detects it (high level)

Flags file API usage where a path comes from untrusted input.
Recognizes absolute-path indicators (/, drive letters) in user-controlled contexts.

References

CWE-36: https://cwe.mitre.org/data/definitions/36.html

---

← Back to Vulnerability Library

Request access View coverage