cwe-22-path-traversal

name: cwe-22-path-traversal description: Use this skill when you need to remediate CWE-22 (Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing improper limitation of a pathname to a restricted directory (path traversal) issues. version: 1.0.0 license: MIT tags:

• security

• java

• cwe-22

• remediation

• sast

• path-traversal

• file-access

• input-validation

CWE-22 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Description

Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Reference: https://cwe.mitre.org/data/definitions/22.html

OWASP Category: A01:2021 – Broken Access Control

Vulnerable Pattern

❌ Example 1

    private ResponseEntity<GenericVulnerabilityResponseBean<String>> readFile(
            Supplier<Boolean> condition, String fileName) {
        if (condition.get()) {
            InputStream infoFileStream =
                    this.getClass().getResourceAsStream("/scripts/PathTraversal/" + fileName);
            if (infoFileStream != null) {
                try (BufferedReader reader =
                        new BufferedReader(new InputStreamReader(infoFileStream))) {
                    String information = reader.readLine();
                    StringBuilder payload = new StringBuilder();
                    while (information != null) {
                        payload.append(information);
                        information = reader.readLine();
                    }
                    return new ResponseEntity<GenericVulnerabilityResponseBean<String>>(
                            new GenericVulnerabilityResponseBean<>(payload.toString(), true),
                            HttpStatus.OK);
                } catch (IOException e) {
                    LOGGER.error("Following error occurred: ", e);
                }
            }
        }
        return new ResponseEntity<GenericVulnerabilityResponseBean<String>>(
                new GenericVulnerabilityResponseBean<>(), HttpStatus.OK);
    }

Deterministic Fix

Detection Pattern

Look for these patterns in your codebase:

# Find File constructor with user input
grep -rn "new File(" --include="*.java" | grep -E "\+|getParameter"

# Find path operations
grep -rn "Paths.get\|Files.read\|Files.write" --include="*.java"

Remediation Steps

1. Normalize file paths using Path.normalize() or Paths.get().normalize()

2. Validate the canonical path is within allowed directory

3. Use allowlist for permitted file names or extensions

4. Reject paths containing .. or absolute paths

5. Use secure file APIs that prevent traversal

Key Imports

import java.nio.file.Path;

import java.nio.file.Paths;

import java.io.File;

Verification

After remediation:

• Re-run SAST scan - CWE-22 should be resolved

• Test with traversal payloads: ../../../etc/passwd

• Verify access is restricted to intended directory

Trigger Examples

Fix CWE-22 vulnerability
Resolve Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue
Secure this Java code against improper limitation of a pathname to a restricted directory (path traversal)
SAST reports CWE-22

Common Vulnerable Locations

| Controller | *Controller.java | File download/upload |

| Service | *Service.java | File processing |

| Utility | *Util.java | File operations |

References

• CWE-22: Path Traversal

• OWASP Path Traversal

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07