handbook/tools/3.Web-Hacking/4.Injection/Directory-Traversal/Notes/3.How-To-Prevent-Directory-Traversal-Attacks.md


## How To Prevent Directory Traversal Attacks

Avoid passing user-supplied input to filesystem APIs
- If this isn't possible, do the following:
	§ Application should validate user input before processing it by being compared to an allow list
	§ Append input to base directory and use platform filesystem API to canonicalize the path
 
- Sample code that does this:`
```
File file = new File(BASE_DIRECTORY,
userInput);
if
(file.getCanonicalPath().startsWith(BASE_DIRE
CTORY)) {
// process file
}
```
vault backup: 2024-08-31 01:07:21 2024-08-30 23:07:22 +00:00
			`## How To Prevent Directory Traversal Attacks`

			`Avoid passing user-supplied input to filesystem APIs`
			`- If this isn't possible, do the following:`
			`§ Application should validate user input before processing it by being compared to an allow list`
			`§ Append input to base directory and use platform filesystem API to canonicalize the path`

			- Sample code that does this:`
			```
			`File file = new File(BASE_DIRECTORY,`
			`userInput);`
			`if`
			`(file.getCanonicalPath().startsWith(BASE_DIRE`
			`CTORY)) {`
			`// process file`
			`}`
			```