Example - 1

The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".

File f = new File(path);return f.getCanonicalPath();String path = getInputPath();if (path.startsWith("/safe_dir/")){}

The problem with the above code is that the validation step occurs before canonicalization occurs. An attacker could provide an input path of "/safe_dir/../" that would pass the validation step. However, the canonicalization process sees the double dot as a traversal to the parent directory and hence when canonicized the path would become just "/".

To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue.

return f.getCanonicalPath();
String path = getInputPath();File f = new File(path);if (f.getCanonicalPath().startsWith("/safe_dir/")){}

Example - 2

This script creates a subdirectory within a user directory and sets the user as the owner.

echo 'Directory name contains invalid sequence';return;
// //filter out '~' because other scripts identify user directories by this prefix// 
$userDir = '/users/'. $userName;if(strpos($dirName,'..') !== false){}$dirName = str_replace('~','',$dirName);$newDir = $userDir . $dirName;mkdir($newDir, 0700);chown($newDir,$userName);function createDir($userName,$dirName){}

While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur.