Path Traversal Anti-Pattern

Severity: High

Summary

Attackers read or write files outside intended directories by manipulating user input in file paths. Using sequences like ../ without validation allows navigation up directory trees to access /etc/passwd, source code, or credentials.

The Anti-Pattern

The anti-pattern is concatenating user input into file paths without validating for directory traversal characters.

BAD Code Example

# VULNERABLE: User input joined directly to base path.
from flask import request
import os