Path Traversal

Path traversal (also called directory traversal) allows attackers to read files outside the intended directory by inserting ../ sequences into file path parameters.

# VULNERABLE
filename = request.args.get('file')
path = '/var/app/uploads/' + filename
with open(path) as f:
    return f.read()
# Attacker: ?file=../../etc/passwd → reads /etc/passwd

URL-encoded variants (%2e%2e%2f) and double-encoded variants can bypass naive string checks. The attack works on Windows too with .. separators.

Resolve the full canonical path and verify it starts with the allowed base directory:

import os, pathlib

BASE = pathlib.Path('/var/app/uploads').resolve()

def safe_open(filename: str) -> str:
    # Resolve resolves symlinks and normalizes ../
    full = (BASE / filename).resolve()
    # Verify it's still inside BASE
    full.relative_to(BASE)  # raises ValueError if outside
    return full.read_text()

The relative_to() call raises ValueError if the resolved path escapes the base directory — even after symlinks and encoding tricks.

The safest approach is to avoid serving files by user-supplied paths at all. Instead, map user-visible identifiers (like numeric IDs or opaque tokens) to file paths server-side:

FILE_MAP = {
    'report-jan': '/var/reports/2024-01.pdf',
    'report-feb': '/var/reports/2024-02.pdf',
}

def serve_report(name: str):
    path = FILE_MAP.get(name)
    if path is None:
        abort(404)
    return send_file(path)

With an allowlist map, there is no path to traverse — the user can only access files you explicitly permit.