OeditusCredo.Check.Security.PathTraversal
(OeditusCredo v0.6.3)
View Source
Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of high and works with any version of Elixir.
Explanation
Detects potential path traversal vulnerabilities (CWE-22).
Building file paths directly from user input can allow ../ traversal
and unauthorized file access.
Bad:
File.read!(params["file"])
File.write!("/tmp/" <> filename, content)Good:
safe = Path.basename(filename)
File.read!(Path.join("/safe/dir", safe))Check-Specific Parameters
Use the following parameters to configure this check:
:exclude_test_files
Set to true to skip test files (default: false)
This parameter defaults to nil.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.