P01 Path Traversal Risk

What this means

SiteShadow flagged a file path that appears to be influenced by untrusted input (request params/body/query), which can allow reading/writing unintended files.

Why it matters

Attackers can read secrets/configs (e.g., .env, SSH keys, cloud credentials).
Attackers may overwrite files in some flows (uploads, exports) and achieve code execution.
Even "read-only" endpoints can become data exfiltration paths.

Safer examples

1) Use allowlists (recommended)

import os

ALLOWED = {"report.csv", "summary.json"}
name = name if name in ALLOWED else "summary.json"
path = os.path.join(os.environ.get("REPORT_DIR", "/srv/reports"), name)

2) Normalize + enforce a base directory

from pathlib import Path

base = Path("/srv/reports").resolve()
candidate = (base / user_path).resolve()
if base not in candidate.parents:
    raise ValueError("Invalid path")

3) Don't pass user input directly to file APIs

Avoid patterns like open(req.query.path) or send_file(request.args["path"]).

How SiteShadow detects it (high level)

Looks for file APIs (open, readFile, send_file, createReadStream, etc.) combined with request/user input.
Flags traversal/absolute-path patterns when they appear in a user-controlled context.

References

CWE-22: https://cwe.mitre.org/data/definitions/22.html

---

← Back to Vulnerability Library

Request access View coverage