---
title: Use Internal Data For File Paths (Path Traversal)
impact: HIGH
impactDescription: prevents path traversal attacks
tags: file-system, path-traversal, security, csharp
---

## Use Internal Data For File Paths (Path Traversal)

Never use user input directly in file paths.

**Incorrect (path traversal):**

```csharp
public IActionResult GetFile(string filename)
{
    // Attacker: filename = "../../../etc/passwd"
    return PhysicalFile(Path.Combine("uploads", filename), "text/plain");
}
```

**Correct (validation):**

```csharp
public IActionResult GetFile(string filename)
{
    // 1. Use filename from DB (Internal ID)
    // 2. Or validate filename has no path separators
    var name = Path.GetFileName(filename); // Strips path
    
    var path = Path.Combine(_env.WebRootPath, "uploads", name);
    return PhysicalFile(path, "text/plain");
}
```

**Tools:** Roslyn Analyzers, SonarQube