Our website uses cookies to enhance your browsing experience.
Accept
to the top
Home
>
Documentation
>
Warnings
>
V5332. OWASP. Possible path...
menu mobile close menu
Introduction
How to enter the PVS-Studio license and what's the next move
PVS-Studio's trial mode
System requirements
Technologies used in PVS-Studio
Release history
Release history for previous versions (before 7.00)
Analyzing projects
On Windows
Getting acquainted with the PVS-Studio static code analyzer on Windows
Build-system independent analysis (C and C++)
Direct integration of the analyzer into build automation systems (C and C++)
On Linux and macOS
PVS-Studio C# installation on Linux and macOS
How to run PVS-Studio C# on Linux and macOS
Installing and updating PVS-Studio C++ on Linux
Installing and updating PVS-Studio C++ on macOS
How to run PVS-Studio C++ on Linux and macOS
Cross-platform
Direct use of Java analyzer from command line
Cross-platform analysis of C and C++ projects in PVS-Studio
PVS-Studio for embedded development
Analysis of C and C++ projects based on JSON Compilation Database
IDE
Get started with PVS-Studio in Visual Studio
Using PVS-Studio with JetBrains Rider and CLion
How to use the PVS-Studio extension for Qt Creator
How to integrate PVS-Studio in Qt Creator without the PVS-Studio plugin
Using the PVS-Studio extension for Visual Studio Code
Using PVS-Studio with IntelliJ IDEA and Android Studio
Build systems
Analyzing Visual Studio / MSBuild / .NET projects from the command line using PVS-Studio
Using PVS-Studio with the CMake module
Integrating PVS-Studio Java into the Gradle build system
Integrating PVS-Studio Java into the Maven build system
Game Engines
How to analyze Unity projects with PVS-Studio
Analysis of Unreal Engine projects
Continuous use of the analyzer in software development
Running PVS-Studio in Docker
Running PVS-Studio in Jenkins
Running PVS-Studio in TeamCity
How to upload analysis results to Jira
PVS-Studio and continuous integration
PVS-Studio's incremental analysis mode
Analyzing commits and pull requests
Unattended deployment of PVS-Studio
Speeding up the analysis of C and C++ code through distributed build systems (Incredibuild)
Integrating of PVS-Studio analysis results in code quality services (web dashboard)
Integration of PVS-Studio analysis results into DefectDojo
Integration of PVS-Studio analysis results into SonarQube
Integration of PVS-Studio analysis results into CodeChecker
Deploying the analyzer in cloud Continuous Integration services
Using with Travis CI
Using with CircleCI
Using with GitLab CI/CD
Using with GitHub Actions
Using with Azure DevOps
Using with AppVeyor
Using with Buddy
Managing analysis results
How to display the analyzer's most interesting warnings
How to use the OWASP diagnostic group in PVS-Studio
MISRA Coding Standards and Compliance
Baselining analysis results (suppressing warnings for existing code)
Handling the diagnostic messages list in Visual Studio
Suppression of false-positive warnings
How to view and convert analyzer's results
Relative paths in PVS-Studio log files
Viewing analysis results with C and C++ Compiler Monitoring UI
Notifying the developer teams (blame-notifier utility)
Filtering and handling the analyzer output through diagnostic configuration files (.pvsconfig)
Excluding files and directories from analysis
Additional configuration and resolving issues
Tips on speeding up PVS-Studio
PVS-Studio: troubleshooting
Additional diagnostics configuration
User annotation mechanism in JSON format
Annotating C and C++ entities in JSON format
Annotating C# entities in JSON format
Predefined PVS_STUDIO macro
Analysis configuration file (Settings.xml)
Settings: general
Settings: Common Analyzer Settings
Settings: Detectable Errors
Settings: Don't Check Files
Settings: Keyword Message Filtering
Settings: Registration
Settings: Specific Analyzer Settings
Analyzer diagnostics
PVS-Studio Messages
General Analysis (C++)
General Analysis (C#)
General Analysis (Java)
Micro-Optimizations (C++)
Micro-Optimizations (C#)
Diagnosis of 64-bit errors (Viva64, C++)
Customer specific requests (C++)
MISRA errors
AUTOSAR errors
OWASP errors (C++)
OWASP errors (C#)
OWASP errors (Java)
Problems related to code analyzer
Additional information
Credits and acknowledgements
toggle menu Contents
May 26 2025

V5332. OWASP. Possible path traversal vulnerability. Potentially tainted data might be used to access files or folders outside a target directory.

May 26 2025

The analyzer has detected that data from an external source is used as file or folder paths without prior validation. This makes the application vulnerable to path traversal attacks.

This attack can be categorized under the OWASP Top 10 Application Security Risks classification as follows:

Path traversal attacks allow attackers to read, record, or delete files outside the target directory by processing the user input with special characters (for example, ..). As a result, attackers can gain access to sensitive data—passwords, keys, and configurations—or disrupt the application. For more details about the vulnerability, refer to the terminology.

The example:

HttpServletRequest request;
HttpServletResponse response;

void write(Path userdir) throws IOException {

    ....

    String userFileRelativePath = request.getParameter("relativePath");

    Path fullPath = userdir.resolve(userFileRelativePath);
    String content = Files.readString(fullPath);

    ....

    response.getWriter().write(content);
}

The method sends the contents of some file from the specified user folder. Users are expected to access only the files stored within this specified directory.

An externally supplied value from request.getParameter is used as a relative path without validation. This creates a path traversal vulnerability, enabling attackers to access the contents of any files on the system.

For example, each user's folder may contain the userInfo.xml file that stores various sensitive data. Assume the code is executed on Windows. In this case, attackers can pass the following string to request.getParameter("relativePath") to access admin user's data:

..\admin\userInfo.xml

To protect against such attacks, simply checking whether the path starts with .. is insufficient. For example, the following string could also access the same sensitive data:

someFolder\..\..\admin\userInfo.xml

Additionally, attackers could pass the absolute path instead of the relative one. If the Path#resolve argument is the absolute path, the original one will be completely ignored. For example, the method can be called as follows:

userdir.resolve("C:\\Users\\Admin\\secret.txt");

As a result, they get the path: C:\Users\Admin\secret.txt. Thus, the lack of input validation allows attackers to access any file on the system. For more details about path traversal attacks and their descriptions, refer to the official OWASP website.

To protect against path traversal attacks, ensure the target path remains within the base directory. In the example above, it is recommended to use the normalize() method to convert the path into its original form—resolving relative traversals like .. and ., and redundant separators.

After that, the path should be validated via startsWith(userdir). This prevents access to files outside the target directory, even if the path contains masked relative traversals like someFolder\..\..\..\admin\userInfo.xml.

HttpServletRequest request;
HttpServletResponse response;

void write(Path userdir) throws IOException {

    ....

    String userFileRelativePath = request.getParameter("relativePath");

    Path fullPath = userdir.resolve(userFileRelativePath);
    
    if (fullPath.normalize().startsWith(userdir)) {
        String content = Files.readString(fullPath);

        ....

        response.getWriter().write(content);
    } else {
        ....
    }
}

This diagnostic is classified as:

Was this page helpful?

< Previous
Next >
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
* Difference between Team and Enterprise
Didn't get our email?
close form
Request our prices
Why do we ask to use Business Email?
New License
License Renewal
--Select currency--
USD
EUR
Didn't get our email?
close form
Free PVS‑Studio license for Microsoft MVP specialists
Why do we ask to use Business Email?
Didn't get our email?
close form
To get the licence for your open-source project, please fill out this form
Didn't get our email?
close form
I want to join the test
Why do we ask to use Business Email?
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam