Open in app

Sign in

Write

Sign in

The Security Threat of “..” and “/..” in File Path Strings

Jonathan Dowdell
2 min readJan 4, 2023

--

When working with file paths in a web application, it is important to ensure that the file paths are secure and do not contain any elements that could be used to gain access to unauthorized files or directories. One common security threat in file path strings is the presence of ".." or "/.." elements.

The ".." element is used to navigate to the parent directory of the current directory, and the "/.." element is used to navigate to the parent directory of the root directory. These elements can be used by an attacker to access files and directories that are outside of the intended directory structure, potentially leading to a security breach.

For example, consider a web application that allows users to upload files to a specific directory. If the file path for the upload directory contains a ".." element, an attacker could potentially use this element to navigate to a parent directory and upload a file to that directory. Similarly, if the file path for the upload directory contains a "/.." element, an attacker could potentially use this element to navigate to the root directory and upload a file there.

One way to prevent this type of security threat is to validate the file path and ensure that it does not contain any ".." or "/.." elements before using it. For example, you could use a regular expression to match the file path and ensure that it does not contain any ".." or "/.." elements.

Here is an example of how to use a regular expression to validate a file path:

import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class Main {
  public static void main(String[] args) {
    // Define the regular expression pattern
    String pattern = "^(?!.*\\.\\.).*$";

    // Create a Pattern object from the regular expression pattern
    Pattern r = Pattern.compile(pattern);

    // Check if the file path matches the pattern
    Matcher m = r.matcher("/usr/local/../bin/./file.txt");
    if (m.matches()) {
      System.out.println("Valid file path");
    } else {
      System.out.println("Invalid file path");
    }
  }
}

The code starts by defining a regular expression pattern as a string. The pattern is used to match file paths that do not contain "..".

The code then creates a Pattern object from the regular expression pattern using the compile() method. This Pattern object is used to create a Matcher object, which is used to perform the actual regular expression matching.

If the file path matches the pattern, the code will print "Valid file path". If the file path does not match the pattern, the code will print "Invalid file path".

In this case, the file path will be considered invalid because it contains a ".." element.

Java
Cybersecurity
Software Engineering
Hacking
Whitehat

--

--

Jonathan Dowdell

Written by Jonathan Dowdell

2 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams