Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code uses user-supplied input from a web request directly as a file path in the open() function without proper validation or sanitization. This allows attackers to manipulate the file path and potentially access files outside the intended directory.
Impact#
If exploited, an attacker could read or modify sensitive files on the server, such as application code, configuration files, or system data. This can lead to data leaks, unauthorized access, or further compromise of the application and underlying system.