High SeverityA01:2021 - Broken Access ControlCWE-22

How to Fix Path Traversal in Django

Learn how to prevent and fix Path Traversal vulnerabilities in Django applications. Step-by-step guide with code examples, security checklists, and best practices.

What Is Path Traversal?

Path Traversal (also known as directory traversal or dot-dot-slash attacks) is a vulnerability that allows attackers to read, and sometimes write, arbitrary files on the server by manipulating file path references. The attack uses special characters like `../` (parent directory) to navigate outside the intended directory.

For example, if an application serves files from `/app/uploads/` based on user input, an attacker might request `../../../etc/passwd` to read the system's password file. The vulnerability occurs when applications use user-supplied input to construct file paths without proper validation or sandboxing.

In Node.js applications, path traversal can occur in: file upload/download handlers that use user-supplied filenames; static file serving that does not properly restrict the base directory; template rendering that accepts user-controlled template paths; and API routes that read configuration files based on user input. Next.js API routes and server components that handle file operations are potential attack surfaces.

Why It Matters

Path traversal can expose the entire server filesystem to an attacker. Sensitive files that might be accessed include application source code, configuration files with database credentials and API keys, environment files (.env), private keys and certificates, user-uploaded data belonging to other users, and operating system files. If write access is also possible, attackers can overwrite configuration files, inject malicious code, or create web shells. In containerized environments, path traversal might allow container escape if not properly sandboxed.

How to Fix It in Django

Never use user-supplied input directly in file path construction. Use a whitelist of allowed filenames or identifiers that map to actual file paths. Resolve the final path using `path.resolve()` and verify it falls within the expected base directory. Strip or reject path traversal sequences (../, ..\, and URL-encoded variants). Use `path.basename()` to extract just the filename from user input. Implement chroot jails or use containerization to limit filesystem access. Set restrictive file system permissions -- the application should only have access to directories it needs. For file uploads, generate random filenames rather than using user-supplied names.

Django-Specific Advice

Django's template engine auto-escapes HTML by default. Never use the `|safe` filter or `mark_safe()` with unsanitized user input.
Use Django's ORM for all database queries. When raw SQL is needed, always use parameterized queries: `cursor.execute('SELECT ... WHERE id = %s', [user_id])`.
Keep Django's CSRF middleware enabled. Use `{% csrf_token %}` in all forms and configure CSRF for AJAX requests.
Set `DEBUG = False` in production. Debug mode exposes detailed error pages with sensitive information.

Django Security Checklist for Path Traversal

Audit all file system operations that use user-supplied input

Resolve file paths and verify they fall within the expected base directory

Use path.basename() to extract filenames from user input

Reject paths containing traversal sequences (../, ..\)

Generate random filenames for uploaded files rather than using user-supplied names

Set restrictive file system permissions on the application's directories

Run SafeVibe's path traversal scan on your Django application

Django Security Best Practices

Django's template engine auto-escapes HTML by default. Never use the `|safe` filter or `mark_safe()` with unsanitized user input.

Use Django's ORM for all database queries. When raw SQL is needed, always use parameterized queries: `cursor.execute('SELECT ... WHERE id = %s', [user_id])`.

Keep Django's CSRF middleware enabled. Use `{% csrf_token %}` in all forms and configure CSRF for AJAX requests.

Set `DEBUG = False` in production. Debug mode exposes detailed error pages with sensitive information.

Use Django's built-in password hashing (PBKDF2 by default) and never implement custom password storage.

Configure `SECURE_SSL_REDIRECT`, `SECURE_HSTS_SECONDS`, `SESSION_COOKIE_SECURE`, and `CSRF_COOKIE_SECURE` in production settings.

Use `django-ratelimit` or Django REST Framework's throttling for rate limiting on authentication and API endpoints.

Keep `SECRET_KEY` secret and unique per environment. Rotate it if it is ever exposed.

Scan Your Django App with SafeVibe

Stop guessing if your Django app is vulnerable to Path Traversal. Run an automated penetration test in minutes and get actionable results.

Start Free Scan

Related Guides

Path Traversal in Other Frameworks

Express FastAPI Ruby on Rails Laravel

View all Path Traversal guides

More Django Security Guides

Cross-Site Scripting (XSS)SQL Injection Cross-Site Request Forgery (CSRF)Insecure Direct Object References (IDOR)

View all Django guides

What Is Path Traversal?

Why It Matters

How to Fix It in Django

Django-Specific Advice

Django's template engine auto-escapes HTML by default. Never use the `|safe` filter or `mark_safe()` with unsanitized user input.
Use Django's ORM for all database queries. When raw SQL is needed, always use parameterized queries: `cursor.execute('SELECT ... WHERE id = %s', [user_id])`.
Keep Django's CSRF middleware enabled. Use `{% csrf_token %}` in all forms and configure CSRF for AJAX requests.
Set `DEBUG = False` in production. Debug mode exposes detailed error pages with sensitive information.