Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

igbuend/path-traversal-anti-pattern

Name: path-traversal-anti-pattern
Author: igbuend

skills/path-traversal-anti-pattern/SKILL.md

npx skillsauth add igbuend/grimbard path-traversal-anti-pattern

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Path Traversal Anti-Pattern

Severity: High

Summary

Attackers read or write files outside intended directories by manipulating user input in file paths. Using sequences like ../ without validation allows navigation up directory trees to access /etc/passwd, source code, or credentials.

The Anti-Pattern

The anti-pattern is concatenating user input into file paths without validating for directory traversal characters.

BAD Code Example

# VULNERABLE: User input joined directly to base path.
from flask import request
import os

BASE_DIR = "/var/www/uploads/"

@app.route("/files/view")
def view_file():
    # Filename from request without validation.
    filename = request.args.get("filename")

    # User input concatenated with base directory.
    # No path traversal validation.
    file_path = os.path.join(BASE_DIR, filename)

    # Attack: /files/view?filename=../../../../etc/passwd
    # Result: /var/www/uploads/../../../../etc/passwd
    # Resolves to: /etc/passwd

    # Reads and returns system password file.
    try:
        with open(file_path, 'r') as f:
            return f.read()
    except FileNotFoundError:
        return "File not found.", 404

GOOD Code Example

# SECURE: Validate input and canonicalize path.
from flask import request
import os

BASE_DIR = "/var/www/uploads/"

@app.route("/files/view/secure")
def view_file_secure():
    filename = request.args.get("filename")

    # 1. Basic validation: check for malicious characters.
    if ".." in filename or filename.startswith("/"):
        return "Invalid filename.", 400

    # 2. Construct full path.
    file_path = os.path.join(BASE_DIR, filename)

    # 3. Canonicalize: resolve symbolic links and `../` sequences.
    #    Most critical step.
    real_path = os.path.realpath(file_path)
    real_base_dir = os.path.realpath(BASE_DIR)

    # 4. Ensure resolved path within intended base directory.
    if not real_path.startswith(real_base_dir + os.sep):
        return "Access denied: Path is outside of the allowed directory.", 403

    # Safe to access file.
    try:
        with open(real_path, 'r') as f:
            return f.read()
    except FileNotFoundError:
        return "File not found.", 404

Detection

Trace user input: Follow any user-controlled input (from request parameters, body, headers, etc.) that is used in a file operation.
Look for path concatenation: Search for functions that join or concatenate strings to form file paths (e.g., os.path.join, + on strings).
Check for missing validation: Verify that before being used, the input is checked for path traversal sequences (../, ..\). A simple search-and-replace for ../ is not sufficient due to potential bypasses like ....//.
Ensure path canonicalization: The most important check is to see if the application resolves the final path to its absolute, canonical form and then verifies that it is still within the intended base directory.

Prevention

[ ] Never trust user input: Don't trust user-provided data in file path construction.
[ ] Validate input: Use strict allowlist of known-good filenames. Otherwise disallow path traversal sequences.
[ ] Canonicalize paths: Use os.path.realpath() (Python), File.getCanonicalPath() (Java) to resolve to absolute form.
[ ] Verify final path: After canonicalization, ensure path starts with expected base directory. Most reliable prevention.
[ ] Use indirect references: Use IDs or indices instead of filenames. User never directly controls file path.

Related Security Patterns & Anti-Patterns

Missing Input Validation Anti-Pattern: Path traversal is a specific, high-impact consequence of missing input validation.
Unrestricted File Upload Anti-Pattern: An attacker might use path traversal to write a malicious file (like a web shell) to an executable directory on the server.
Command Injection Anti-Pattern: Path traversal can be used in conjunction with command injection to execute programs from unexpected locations.

References

OWASP Top 10 A05:2025 - Injection
OWASP GenAI LLM07:2025 - System Prompt Leakage
OWASP API Security API1:2023 - Broken Object Level Authorization
OWASP Path Traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC-126: Path Traversal
PortSwigger: File Path Traversal
Source: sec-context

igbuend/path-traversal-anti-pattern

skills/path-traversal-anti-pattern/SKILL.md

Security anti-pattern for path traversal vulnerabilities (CWE-22). Use when generating or reviewing code that handles file paths, reads or writes files based on user input, or serves static content. Detects joining user input to paths without proper sanitization or validation.

4 stars

development

Updated Apr 5, 2026

$ install --global

skillsauth

npx skillsauth add igbuend/grimbard path-traversal-anti-pattern

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 5, 2026, 8:19 PM10.4s1 file scanned

SKILL.md

name:: path-traversal-anti-pattern
description:: Security anti-pattern for path traversal vulnerabilities (CWE-22). Use when generating or reviewing code that handles file paths, reads or writes files based on user input, or serves static content. Detects joining user input to paths without proper sanitization or validation.

Path Traversal Anti-Pattern

Severity: High

Summary

The Anti-Pattern

The anti-pattern is concatenating user input into file paths without validating for directory traversal characters.

BAD Code Example

# VULNERABLE: User input joined directly to base path.
from flask import request
import os

BASE_DIR = "/var/www/uploads/"

@app.route("/files/view")
def view_file():
    # Filename from request without validation.
    filename = request.args.get("filename")

    # User input concatenated with base directory.
    # No path traversal validation.
    file_path = os.path.join(BASE_DIR, filename)

    # Attack: /files/view?filename=../../../../etc/passwd
    # Result: /var/www/uploads/../../../../etc/passwd
    # Resolves to: /etc/passwd

    # Reads and returns system password file.
    try:
        with open(file_path, 'r') as f:
            return f.read()
    except FileNotFoundError:
        return "File not found.", 404

GOOD Code Example

# SECURE: Validate input and canonicalize path.
from flask import request
import os

BASE_DIR = "/var/www/uploads/"

@app.route("/files/view/secure")
def view_file_secure():
    filename = request.args.get("filename")

    # 1. Basic validation: check for malicious characters.
    if ".." in filename or filename.startswith("/"):
        return "Invalid filename.", 400

    # 2. Construct full path.
    file_path = os.path.join(BASE_DIR, filename)

    # 3. Canonicalize: resolve symbolic links and `../` sequences.
    #    Most critical step.
    real_path = os.path.realpath(file_path)
    real_base_dir = os.path.realpath(BASE_DIR)

    # 4. Ensure resolved path within intended base directory.
    if not real_path.startswith(real_base_dir + os.sep):
        return "Access denied: Path is outside of the allowed directory.", 403

    # Safe to access file.
    try:
        with open(real_path, 'r') as f:
            return f.read()
    except FileNotFoundError:
        return "File not found.", 404

Detection

Trace user input: Follow any user-controlled input (from request parameters, body, headers, etc.) that is used in a file operation.
Look for path concatenation: Search for functions that join or concatenate strings to form file paths (e.g., os.path.join, + on strings).
Check for missing validation: Verify that before being used, the input is checked for path traversal sequences (../, ..\). A simple search-and-replace for ../ is not sufficient due to potential bypasses like ....//.
Ensure path canonicalization: The most important check is to see if the application resolves the final path to its absolute, canonical form and then verifies that it is still within the intended base directory.

Prevention

[ ] Never trust user input: Don't trust user-provided data in file path construction.
[ ] Validate input: Use strict allowlist of known-good filenames. Otherwise disallow path traversal sequences.
[ ] Canonicalize paths: Use os.path.realpath() (Python), File.getCanonicalPath() (Java) to resolve to absolute form.
[ ] Verify final path: After canonicalization, ensure path starts with expected base directory. Most reliable prevention.
[ ] Use indirect references: Use IDs or indices instead of filenames. User never directly controls file path.

Related Security Patterns & Anti-Patterns

Missing Input Validation Anti-Pattern: Path traversal is a specific, high-impact consequence of missing input validation.
Unrestricted File Upload Anti-Pattern: An attacker might use path traversal to write a malicious file (like a web shell) to an executable directory on the server.
Command Injection Anti-Pattern: Path traversal can be used in conjunction with command injection to execute programs from unexpected locations.

References

OWASP Top 10 A05:2025 - Injection
OWASP GenAI LLM07:2025 - System Prompt Leakage
OWASP API Security API1:2023 - Broken Object Level Authorization
OWASP Path Traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC-126: Path Traversal
PortSwigger: File Path Traversal
Source: sec-context

Related Skills

igbuend/xss-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.

4SKILL.mdUpdated Apr 5, 2026

igbuend/xss-anti-pattern

igbuend/xpath-injection-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.

4SKILL.mdUpdated Apr 5, 2026

igbuend/xpath-injection-anti-pattern

igbuend/weak-password-hashing-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.

4SKILL.mdUpdated Apr 5, 2026

igbuend/weak-password-hashing-anti-pattern

igbuend/weak-encryption-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.

4SKILL.mdUpdated Apr 5, 2026

igbuend/weak-encryption-anti-pattern

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/igbuend/grimbard.git

# Copy into Claude Code skills folder (global)
cp -r grimbard/skills/path-traversal-anti-pattern ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

igbuend/grimbard

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT