Back to skills
extension
Category: Development & EngineeringNo API key required

cwe-22-path-traversal

Use this skill when you need to remediate CWE-22 (Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing improper limitation of a pathname to a restricted directory (path traversal) issues.

personAuthor: jakexiaohubgithub

CWE-22 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Description

Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Reference: https://cwe.mitre.org/data/definitions/22.html

OWASP Category: A01:2021 – Broken Access Control


Vulnerable Pattern

❌ Example 1

    private ResponseEntity<GenericVulnerabilityResponseBean<String>> readFile(
            Supplier<Boolean> condition, String fileName) {
        if (condition.get()) {
            InputStream infoFileStream =
                    this.getClass().getResourceAsStream("/scripts/PathTraversal/" + fileName);
            if (infoFileStream != null) {
                try (BufferedReader reader =
                        new BufferedReader(new InputStreamReader(infoFileStream))) {
                    String information = reader.readLine();
                    StringBuilder payload = new StringBuilder();
                    while (information != null) {
                        payload.append(information);
                        information = reader.readLine();
                    }
                    return new ResponseEntity<GenericVulnerabilityResponseBean<String>>(
                            new GenericVulnerabilityResponseBean<>(payload.toString(), true),
                            HttpStatus.OK);
                } catch (IOException e) {
                    LOGGER.error("Following error occurred: ", e);
                }
            }
        }
        return new ResponseEntity<GenericVulnerabilityResponseBean<String>>(
                new GenericVulnerabilityResponseBean<>(), HttpStatus.OK);
    }

Deterministic Fix


Detection Pattern

Look for these patterns in your codebase:

# Find File constructor with user input
grep -rn "new File(" --include="*.java" | grep -E "\+|getParameter"
# Find path operations
grep -rn "Paths.get\|Files.read\|Files.write" --include="*.java"

Remediation Steps

  1. Normalize file paths using Path.normalize() or Paths.get().normalize()

  2. Validate the canonical path is within allowed directory

  3. Use allowlist for permitted file names or extensions

  4. Reject paths containing .. or absolute paths

  5. Use secure file APIs that prevent traversal


Key Imports


import java.nio.file.Path;

import java.nio.file.Paths;

import java.io.File;


Verification

After remediation:

  • Re-run SAST scan - CWE-22 should be resolved

  • Test with traversal payloads: ../../../etc/passwd

  • Verify access is restricted to intended directory


Trigger Examples

Fix CWE-22 vulnerability
Resolve Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue
Secure this Java code against improper limitation of a pathname to a restricted directory (path traversal)
SAST reports CWE-22

Common Vulnerable Locations

| Layer | Files | Patterns | |-------|-------|----------|

| Controller | *Controller.java | File download/upload |

| Service | *Service.java | File processing |

| Utility | *Util.java | File operations |


References


Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07