Elixir Delete Path Traversal
Description
This detector identifies path traversal vulnerabilities in Elixir code where user-controlled input is passed to file system operations without proper sanitization. Attackers can exploit this to access files outside the intended directory by using sequences like "../" to navigate up the directory tree, potentially exposing sensitive files or system data.
Detection Strategy
• The detector flags function calls that perform file operations (identified as FILE_SINKS such as File.read, File.write, File.delete, etc.)
• The file path parameter in these operations must be traced back to user input sources (such as request parameters, form data, or external API inputs)
• The path from user input to the file operation must lack proper sanitization that would prevent directory traversal sequences like '../' or absolute path manipulation
• A vulnerability is reported when all three conditions are met: dangerous file operation + user-controlled path + insufficient sanitization
Vulnerable code example
defmodule VulnerableController do
def delete_file(conn) do
filename = conn.params["filename"]
# VULNERABLE: User-controlled input reaches File.rm!/1 enabling path traversal
File.rm!("uploads/" <> filename)
conn...✅ Secure code example
defmodule SecureController do
@base_dir "uploads"
def delete_file(conn) do
filename = conn.params["filename"]
base = Path.expand(@base_dir)
target = Path.expand(Path.join(base, filename))...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.