Build fluency in the vocabulary of escaping an intended base directory via unvalidated, attacker-supplied file paths.
0 / 5 completed
1 / 5
A teammate explains that a web application concatenates a user-supplied filename directly onto a base directory path, and an attacker supplies a filename containing repeated parent-directory segments to escape the intended directory and read arbitrary files. What vulnerability is being described?
Path traversal is exactly this: a web application concatenates a user-supplied filename directly onto a base directory path without validation, and an attacker supplies a filename containing repeated parent-directory segments, such as multiple dot-dot-slash sequences, to escape the intended directory and read or write arbitrary files elsewhere on the filesystem. A hash collision is an unrelated hash-table concept about two keys sharing a bucket. This escape-the-base-directory-via-parent-segments approach is exactly why unvalidated filename concatenation is treated as a critical vulnerability.
2 / 5
During a security review, the team discovers a file-download endpoint builds the file path by directly concatenating a user-supplied filename query parameter onto a fixed uploads directory, without normalizing or restricting the result to that directory. Which risk does this represent?
This represents a path-traversal vulnerability, since a filename containing repeated parent-directory segments could escape the uploads directory and expose arbitrary files on the server, such as configuration files or credentials. Normalizing the resulting path and verifying it still resides inside the uploads directory before serving it would instead close off that escape route. This concatenate-without-restricting-to-the-directory behavior is exactly why raw filename concatenation is flagged once the filename comes from user input.
3 / 5
In a code review, a dev notices a download endpoint joins a user-supplied filename parameter directly onto a fixed base directory using simple string concatenation, without normalizing the resulting path or checking that it stays within the base directory. What does this represent?
This is a path-traversal risk, since a filename with repeated parent-directory segments could resolve to a path outside the intended base directory. A cache eviction policy is an unrelated concept about discarded cache entries. This unnormalized-string-concatenation pattern is exactly the kind of vulnerability a reviewer flags once the filename originates from user input rather than a trusted internal source.
4 / 5
An incident report shows an attacker read a server's internal configuration file, including database credentials, by supplying a download filename containing repeated parent-directory segments that escaped the intended uploads directory. What practice would prevent this?
Normalizing the resulting file path and verifying it still resides within the intended base directory before serving any file ensures parent-directory segments can never escape that boundary. Continuing to concatenate the user-supplied filename directly onto the base directory regardless of what parent-directory segments the filename might contain is exactly what let the attacker read the configuration file in this incident. This normalize-and-verify-containment approach is the standard fix once unvalidated filename concatenation is confirmed to be exploitable.
5 / 5
During a PR review, a teammate asks why the team insists on normalizing and verifying file paths stay within a base directory instead of just trusting filenames that come from an authenticated user's own request. What is the reasoning?
Normalizing and verifying containment trades a small amount of extra path-handling code for closing off directory-escape attacks entirely, while trusting an authenticated user's filename ignores that authentication says nothing about whether the supplied value itself is well-formed or malicious. This is exactly why path normalization and containment checks are mandatory for any user-influenced file path, regardless of whether the requesting user is authenticated.