Our website uses cookies to enhance your browsing experience.
Accept
to the top
>
>
>
Path Traversal

Path Traversal

Jul 15 2021

Path traversal attacks allow an attacker to gain unauthorized access to various system files and directories. Attackers use dot-dot-slash sequences (relative path traversal) or absolute paths (absolute path traversal) to access files and directories. To protect your file system, you need to validate the user's input.

Path traversal attacks, also known as directory traversal, allow an attacker to obtain files and directories that are usually limited by operation system's access control.

Relative Path Traversal

Let's say each user has their own directory which stores confidential data. To access the files, the user passes a path to relative to this directory.

It is obvious that other users' directories are nearby. Then, using the dot-dot-slash sequence ('..\' or '../'), attackers may access the files of any user. They easily gain access to the adminPasswords.txt file, passing the following string as the path:

../admin/adminPasswords.txt

Note that Windows filenames are delimited by backslash ('\'). To prevent such an attack, it's not enough to check that the string does not start with '../'. Because attackers can use the following string for malicious purposes

myFolder/../../admin/adminPasswords.txt

At first, they access the myFolder directory and then the directory containing each user's data. Then, attackers access the admin directory and get the file.

These examples show a possible way to perform a relative path traversal attack. Note that dot-dot-slash sequences allow an attacker to gain access to any file or directory on the disk.

Your application must be secured, so that a user could not access other directories. The easiest way to prevent an attack is to check strings for dot-dot-slash sequences. Unfortunately, that's not enough to ensure complete security.

Absolute Path Traversal

An absolute path traversal attack is easier to perform. Let's say we use the following C# code to process a user's request:

private void ProcessFileRequest()
{
  ....
  string userFileRelativePath = request.QueryString["relativePath"];

  string fullPath = Path.Combine(userDirectory,
                                 userFileRelativePath);
  var content = File.ReadAllText(fullPath);

  response.Write(content);
}

PVS-Studio warning: V5609 Possible path traversal vulnerability. Potentially tainted data from the 'fullPath' variable is used as path.

The user should only have access to the directory, whose path is written in the userDirectory variable. The Path.Combine method here has one important feature: if one of its arguments is an absolute path, then all previously passed arguments are ignored:

Path.Combine(rootFolder, absolutePath) == absolutePath // true

Thus, if request.QueryString["relativePath"] contains an absolute path, the path is written to fullPath. Therefore, an attacker can access any file by specifying the needed absolute path. But the user is supposed to have access only to files in userDirectory.

In such cases, the system must check whether the path passed by the user is relative. For example, in Windows, you can detect an absolute path by searching for ":". Absolute paths always have this character. But a file name or a directory name cannot contain ":".

Related Links

Popular related articles


Comments (0)

Next comments next comments
close comment form
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam