---
title: No Internal File Paths in URL
impact: MEDIUM
impactDescription: prevents Path Traversal and Local File Inclusion (LFI)
tags: security, path-traversal, lfi, vulnerability
---

## No Internal File Paths in URL

Never allow user input to directly determine a file path to be read or modified on the server.

**Incorrect (Path Traversal vulnerability):**

```ruby
def download
  file_path = "storage/user_files/#{params[:filename]}"
  send_file file_path # Attacker: ?filename=../../../etc/passwd
end
```

**Correct (Sanitized or mapping):**

```ruby
def download
  filename = File.basename(params[:filename]) # Strip directories
  file_path = Rails.root.join("storage", "user_files", filename)
  
  if File.exist?(file_path)
    send_file file_path
  else
    render_404
  end
end
```

**Tools:** Brakeman, RuboCop
---