Directory Traversal

No. Blocking literal '../' sequences is insufficient as a primary defense because attackers can bypass such filters using URL encoding ('%2e%2e%2f'), double encoding ('%252e%252e%252f'), Unicode or UTF-8 variants, and OS-specific path separators. Input validation may be applied inconsistently across a request handling pipeline, meaning a filter at one layer may not account for how another layer decodes the input. The reliable defense is to resolve the canonical absolute path of any user-influenced file reference and verify that it falls within the intended base directory before opening the file.

No, though it does reduce the potential impact. A low-privilege process account limits which files on the filesystem the application can access, so a traversal attempt may not reach sensitive system files outside that account's permissions. However, the vulnerability still exists and may still expose configuration files, application secrets, user data, or other files readable by that account. Privilege reduction is a defense-in-depth measure, not a substitute for fixing the traversal vulnerability itself.

The recommended approach is to resolve the full canonical path of the requested file using the platform's path canonicalization function (such as 'realpath()' in C or PHP, 'Path.GetFullPath()' in .NET, or 'toRealPath()' in Java) after combining the base directory with the user-supplied input. The resolved path must then be checked to confirm it begins with the expected base directory string. This check should occur after all decoding steps and before the file is opened. Allowlisting specific filenames or identifiers instead of accepting raw path input is also a strongly preferred design where feasible.

Directory traversal refers to reading arbitrary files outside an intended directory by manipulating path references. Local file inclusion (LFI) typically refers specifically to PHP and similar contexts where a user-controlled value is passed to a file inclusion function, causing the server to execute the contents of the targeted file rather than only reading it. LFI therefore carries a higher severity because it may enable remote code execution if an attacker can influence a file the server will execute. In code review, both require scrutiny of any user-influenced value that reaches a filesystem operation, but LFI review additionally requires examination of include, require, and equivalent functions.

Static analysis tools can identify patterns where user-controlled data flows into filesystem operations without apparent sanitization or path validation, which covers many common traversal cases. However, static analysis has known false negative behavior in cases where sanitization is performed indirectly, through custom or framework-provided abstractions the tool does not model, or where the data flow spans multiple services or processes. False positives occur when the tool cannot determine that a sanitization step is effective. Static analysis cannot detect traversal risks that depend on deployment-time configuration, such as which directories are mounted or which user account the process runs under. Dynamic testing and manual code review complement static analysis for broader coverage.

Testing typically includes submitting traversal sequences in all parameters, headers, and path segments that may influence file operations, using both unencoded and encoded variants including single URL encoding, double encoding, and Unicode representations. Testers should verify whether the application returns different responses (content, error messages, or timing differences) for existing versus non-existing files outside the base directory, as such differences indicate the traversal reached the filesystem. Automated scanners can cover common encoding variants but may miss application-specific logic or unusual decoding paths. Manual testing should focus on any parameter documented or inferred to reference a filename, template, or resource path. Testing should also confirm that the canonical path check is enforced server-side and cannot be bypassed by manipulating the base directory value itself if that value is configurable.