Skip to content

How to Fix Directory Traversal Vulnerabilities

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Directory Traversal Vulnerabilities. We cover key concepts, practical examples, and best practices.

Directory traversal vulnerabilities occur when file paths are constructed from user input without validation, allowing attackers to read files outside the intended directory using ../ sequences, absolute paths, or symbolic links.

Quick Fix

Wrong

std::string filename = request.getParam("file");
std::string path = "/var/www/files/" + filename;
std::ifstream file(path);

If filename is ../../etc/passwd, the path becomes /var/www/files/../../etc/passwd, resolving to /etc/passwd.

std::string filename = request.getParam("file");
std::string path = sanitizePath("/var/www/files/", filename);
if (path.empty()) {
    response.status(400).send("Invalid path");
    return;
}
std::ifstream file(path);

Fix with path canonicalization

std::string sanitizePath(const std::string& base,
                         const std::string& userPath) {
    namespace fs = std::filesystem;
    fs::path fullPath = fs::weakly_canonical(
        fs::path(base) / userPath);
    fs::path basePath = fs::weakly_canonical(base);

    // Ensure the resolved path is within the base directory
    auto [baseEnd, _] = std::mismatch(
        basePath.begin(), basePath.end(),
        fullPath.begin(), fullPath.end());
    if (baseEnd != basePath.end()) return "";

    return fullPath.string();
}

Fix with allowlist

std::set<std::string> allowedFiles = {
    "report.pdf", "data.csv", "config.json"
};

std::string filename = request.getParam("file");
if (!allowedFiles.contains(filename)) {
    response.status(404).send("File not found");
    return;
}
std::string path = "/var/www/files/" + filename;

Fix with database storage

// Store file content in database instead of filesystem
std::string id = request.getParam("id");
auto result = db.query("SELECT content FROM files WHERE id = ?", id);
if (!result) {
    response.status(404).send("Not found");
    return;
}

Prevention

  • Use an allowlist of filenames instead of accepting user input.
  • Canonicalize paths and verify they stay within the base directory.
  • Reject paths containing .., /, or null bytes.
  • Use database storage for files instead of filesystem paths.
  • Run the application with minimal filesystem permissions.

DodaTech Tools

Doda Browser's directory traversal scanner tests file inclusion endpoints with path traversal sequences. DodaZIP encrypts and archives file access logs. Durga Antivirus Pro detects directory traversal payloads in HTTP requests.

Common Mistakes with traversal

  1. Using foldl instead of foldl' causing stack overflow on large lists
  2. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  3. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable

These mistakes appear frequently in real-world DIRECTORY code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

Can directory traversal work on Windows?

Yes, Windows uses ..\ backslash sequences and drive letters (C:\). Attackers may also use ....//....// (encoded variants), URL encoding (%2e%2e/), and 16-bit Unicode encoding (..\u002f).

What files are commonly targeted in directory traversal attacks?

/etc/passwd, /etc/shadow, application configuration files (.env, config.php), source code files, SSH keys, database credentials files, and log files are common targets.

How do null byte injections relate to directory traversal?

Older applications truncated strings at null bytes (file.txt%00.jpg), allowing attackers to bypass extension checks. Modern languages and runtimes no longer have this vulnerability.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro