Skip to content

Block request if URL path contains path traversal patterns #599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Block request if URL path contains path traversal patterns #599

wants to merge 8 commits into from
+336 −1

Conversation

@timokoessler
Copy link
Member

No description provided.

@codecov
Copy link

codecov bot commented May 12, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 99.24812% with 1 line in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
library/helpers/getRawUrlPath.ts 95.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

timokoessler
timokoessler commented May 12, 2025
View reviewed changes
library/vulnerabilities/path-traversal/checkUrlPathForPathTraversal.ts Outdated
}

// Also check encoded paths
const decodedPath = decodeURIComponent(rawPath);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does not cover double-encoding, should we?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question for @kapyteinaikido

@timokoessler timokoessler marked this pull request as ready for review May 12, 2025 11:26
@timokoessler timokoessler changed the title Improve reliability of path traversal detection Block request if URL path contains path traversal patterns May 12, 2025
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Oct 9, 2025
View reviewed changes
library/sources/http-server/checkIfRequestIsBlocked.ts
return true;
}

// Only checks the url path for path traversal attacks, other inputs are checked using the sinks
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Function handles multiple unrelated security concerns (IP blocking, user agent blocking, path traversal) in 185 lines.

Feedback

Post a comment with the following structure to provide feedback on this finding:

@AikidoSec feedback: [FEEDBACK]

Aikido will process this feedback into learnings to give better review comments in the future.
More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hansott hansott hansott left review comments

@bitterpanda63 bitterpanda63 bitterpanda63 left review comments

+1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@timokoessler @hansott @bitterpanda63