Path traversal risk
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
Building a filesystem path directly from user-controlled input without sanitization risks path traversal.
Why it matters
When a filename from the request goes into a filesystem call, '../' sequences walk out of the intended folder, exposing configuration files, source code, or credentials on the server. Encoded variants get past naive filters. File download and preview endpoints are where this shows up most.
How to fix it
Resolve the requested name against a fixed base directory and verify the result stays inside it: in Node, path.resolve(BASE, name) then check the result starts with BASE plus the path separator; in Python, use Path(BASE, name).resolve() and relative_to(BASE) inside a try block. Better still, map opaque IDs to file paths server-side so client input never names a path directly.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo