Path Traversal
User input is used as a file path without restricting it to an intended directory, letting the attacker read or write arbitrary files via ../
GateTest coverage
Caught by: security, crossFileTaint
Example
fs.readFile('./uploads/' + req.query.filename) — req.query.filename = '../../../../etc/passwd'How to fix it
Never use user input as a path component. Look up files by opaque ID server-side. If you must accept names, validate against an allowlist and use path.resolve() + a startsWith() check against the intended root.
Scan your repo for CWE-22
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-22 (Path Traversal)?
User input is used as a file path without restricting it to an intended directory, letting the attacker read or write arbitrary files via ../
How do I fix path traversal?
Never use user input as a path component. Look up files by opaque ID server-side. If you must accept names, validate against an allowlist and use path.resolve() + a startsWith() check against the intended root.
Does GateTest detect path traversal?
Yes — GateTest's security, crossFileTaint modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Path Traversal in the CWE Top 25?
Path Traversal is ranked #8 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).