Hacking Notes | Welcome 👋

How To Prevent Directory Traversal Attacks

Avoid passing user-supplied input to filesystem APIs

If this isn't possible, do the following: § Application should validate user input before processing it by being compared to an allow list § Append input to base directory and use platform filesystem API to canonicalize the path
Sample code that does this:`

File file = new File(BASE_DIRECTORY,
userInput);
if
(file.getCanonicalPath().startsWith(BASE_DIRE
CTORY)) {
// process file
}