Metastatic.Analysis.BusinessLogic.PathTraversal (Metastatic v0.10.4)

View Source

Detects potential Path Traversal vulnerabilities (CWE-22).

This analyzer identifies code patterns where user input is used in file path operations without proper validation, allowing attackers to access files outside the intended directory.

Cross-Language Applicability

Path traversal is a universal file system vulnerability:

  • Elixir: File.read!(params["filename"])
  • Python: open(request.args.get('file'))
  • JavaScript/Node: fs.readFile(req.query.file)
  • Ruby: File.read(params[:file])
  • PHP: file_get_contents($_GET['file'])
  • Java: new File(request.getParameter("path"))
  • C#: File.ReadAllText(Request.QueryString["file"])
  • Go: ioutil.ReadFile(r.URL.Query().Get("file"))

Problem

When file paths are constructed from user input without validation:

  • Attackers can use ../ sequences to escape directories
  • Can read sensitive files like /etc/passwd or config files
  • Can write to arbitrary locations
  • Can execute arbitrary files in some cases

Detection Strategy

Detects patterns where:

  1. File operation functions receive user-controlled input
  2. Path construction uses concatenation with user input
  3. No path validation/sanitization is apparent

Examples

Bad (Elixir)

def download(conn, %{"file" => filename}) do
  path = "/uploads/" <> filename
  send_file(conn, 200, path)
end

Good (Elixir)

def download(conn, %{"file" => filename}) do
  safe_name = Path.basename(filename)  # Remove directory components
  path = Path.join("/uploads", safe_name)

  if String.starts_with?(path, "/uploads/") do
    send_file(conn, 200, path)
  else
    send_resp(conn, 400, "Invalid path")
  end
end