Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

1. Path traversal (directory traversal) allows attackers to access files outside the intended directory by injecting sequences such as ../.

2. Remediation:

   • Validate file paths against an allowlist of permitted filenames or extensions.
   • Use realpath() to resolve the canonical path and verify it starts with the expected base directory:

   $base = realpath('/var/app/uploads');
   $file = realpath($base . '/' . $userInput);
   if ($file === false || strpos($file, $base) !== 0) {
   http_response_code(403);
   exit('Access denied');
   }
   • Never pass raw user input to filesystem functions such as fopen(), include(), or file_get_contents().