Make path traversal containment check case-insensitive

bitterpanda63 · bitterpanda63 · commit 64b566971584 · 2026-06-01T15:05:43.000+02:00
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/path_traversal/PathTraversalDetector.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/path_traversal/PathTraversalDetector.java
@@ -30,7 +30,7 @@ public DetectorResult run(String userInput, String[] arguments) {
             // Ignore cases where the user input is longer than the file path.
             return new DetectorResult();
         }
-        if (!filePath.contains(userInput)) {
+        if (!filePath.toLowerCase().contains(userInput.toLowerCase())) {
             // Ignore cases where the user input is not part of the file path.
             return new DetectorResult();
         }
diff --git a/agent_api/src/test/java/vulnerabilities/path_traversal/PathTraversalDetectorTest.java b/agent_api/src/test/java/vulnerabilities/path_traversal/PathTraversalDetectorTest.java
@@ -210,4 +210,11 @@ public void testUserInputWithEmptyFilePath() {
     public void testUserInputWithFilePathContainingSpaces() {
         assertNotAttack(PathTraversalDetector.INSTANCE.run("test file", new String[]{"directory/test file.txt"}));
     }
+
+    @Test
+    public void testCaseInsensitiveContainmentDetectsTraversal() {
+        assertAttack(PathTraversalDetector.INSTANCE.run("/ETC/passwd", new String[]{"/etc/passwd"}));
+        assertAttack(PathTraversalDetector.INSTANCE.run("/ETC/PASSWD", new String[]{"/etc/passwd"}));
+        assertAttack(PathTraversalDetector.INSTANCE.run("/HOME/USER/file.txt", new String[]{"/home/user/file.txt"}));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ public DetectorResult run(String userInput, String[] arguments) {`
`30`	`30`	`// Ignore cases where the user input is longer than the file path.`
`31`	`31`	`return new DetectorResult();`
`32`	`32`	`}`
`33`		`- if (!filePath.contains(userInput)) {`
	`33`	`+ if (!filePath.toLowerCase().contains(userInput.toLowerCase())) {`
`34`	`34`	`// Ignore cases where the user input is not part of the file path.`
`35`	`35`	`return new DetectorResult();`
`36`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -210,4 +210,11 @@ public void testUserInputWithEmptyFilePath() {`
`210`	`210`	`public void testUserInputWithFilePathContainingSpaces() {`
`211`	`211`	`assertNotAttack(PathTraversalDetector.INSTANCE.run("test file", new String[]{"directory/test file.txt"}));`
`212`	`212`	`}`
	`213`	`+`
	`214`	`+ @Test`
	`215`	`+ public void testCaseInsensitiveContainmentDetectsTraversal() {`
	`216`	`+ assertAttack(PathTraversalDetector.INSTANCE.run("/ETC/passwd", new String[]{"/etc/passwd"}));`
	`217`	`+ assertAttack(PathTraversalDetector.INSTANCE.run("/ETC/PASSWD", new String[]{"/etc/passwd"}));`
	`218`	`+ assertAttack(PathTraversalDetector.INSTANCE.run("/HOME/USER/file.txt", new String[]{"/home/user/file.txt"}));`
	`219`	`+ }`
`213`	`220`	`}`