The Attack
Path traversal abuses code that builds a file path from user input. If a download feature joins a base folder with a requested filename, an attacker submits a name containing dot dot slash sequences that climb out of the intended directory. A request can then read configuration files, credentials, or other users' data far outside the upload folder.
Encoded variants make detection harder: percent encoding and mixed separators can sneak past naive filters that only look for the literal dots and slashes.
Reliable Defenses
- Resolve the final path to its absolute, canonical form, then confirm it still sits inside the intended base directory.
- Reject the request if the resolved path escapes the allowed root.
- Prefer mapping requests to opaque identifiers that you look up, rather than using raw filenames at all.
- Run the process with least privilege so even an escape reaches little.
Filtering for bad characters alone is fragile because of the many encodings; canonicalizing and comparing is the robust approach.
Key idea
Path traversal uses dot dot sequences to climb out of an intended folder, and the robust fix is to resolve the final canonical path and confirm it still lives inside the allowed base directory before touching the file.