Path traversal

Manipulated paths (e.g., ../) escape the intended directory to access unintended files.

Resolve to canonical path and verify against a fixed base; use safe file APIs; enforce allowlists; reject traversal sequences and double-encoding

Observable signs that may indicate Path traversal:

• Requests containing `../`, `%2e%2e/`, or similar sequences access unexpected files.
• Logs show attempts to reach `/etc/passwd`, `.env`, or config directories.
• Mismatches between requested path and served file outside the web root.