How to Fix Directory Traversal Vulnerabilities
In this tutorial, you'll learn about How to Fix Directory Traversal Vulnerabilities. We cover key concepts, practical examples, and best practices.
Directory traversal vulnerabilities occur when file paths are constructed from user input without validation, allowing attackers to read files outside the intended directory using ../ sequences, absolute paths, or symbolic links.
Quick Fix
Wrong
std::string filename = request.getParam("file");
std::string path = "/var/www/files/" + filename;
std::ifstream file(path);
If filename is ../../etc/passwd, the path becomes /var/www/files/../../etc/passwd, resolving to /etc/passwd.
Right
std::string filename = request.getParam("file");
std::string path = sanitizePath("/var/www/files/", filename);
if (path.empty()) {
response.status(400).send("Invalid path");
return;
}
std::ifstream file(path);
Fix with path canonicalization
std::string sanitizePath(const std::string& base,
const std::string& userPath) {
namespace fs = std::filesystem;
fs::path fullPath = fs::weakly_canonical(
fs::path(base) / userPath);
fs::path basePath = fs::weakly_canonical(base);
// Ensure the resolved path is within the base directory
auto [baseEnd, _] = std::mismatch(
basePath.begin(), basePath.end(),
fullPath.begin(), fullPath.end());
if (baseEnd != basePath.end()) return "";
return fullPath.string();
}
Fix with allowlist
std::set<std::string> allowedFiles = {
"report.pdf", "data.csv", "config.json"
};
std::string filename = request.getParam("file");
if (!allowedFiles.contains(filename)) {
response.status(404).send("File not found");
return;
}
std::string path = "/var/www/files/" + filename;
Fix with database storage
// Store file content in database instead of filesystem
std::string id = request.getParam("id");
auto result = db.query("SELECT content FROM files WHERE id = ?", id);
if (!result) {
response.status(404).send("Not found");
return;
}
Prevention
- Use an allowlist of filenames instead of accepting user input.
- Canonicalize paths and verify they stay within the base directory.
- Reject paths containing
..,/, or null bytes. - Use database storage for files instead of filesystem paths.
- Run the application with minimal filesystem permissions.
DodaTech Tools
Doda Browser's directory traversal scanner tests file inclusion endpoints with path traversal sequences. DodaZIP encrypts and archives file access logs. Durga Antivirus Pro detects directory traversal payloads in HTTP requests.
Common Mistakes with traversal
- Using
foldlinstead offoldl'causing stack overflow on large lists - Forgetting
deriving (Show, Eq)on custom data types needed for debugging - Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
These mistakes appear frequently in real-world DIRECTORY code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro