Make path traversal containment check case-insensitive

Author: bitterpanda63

aikido_zen/vulnerabilities/path_traversal/detect_path_traversal.py

@@ -28,7 +28,7 @@ def detect_path_traversal(file_path, user_input, check_path_start=True, is_url=F
         # Because the user input can't be part of the file path.
         return False
 
-    if user_input not in file_path:
+    if user_input.lower() not in file_path.lower():
         # We ignore cases where the user input is not part of the file path.
         return False
 

aikido_zen/vulnerabilities/path_traversal/detect_path_traversal_test.py

@@ -150,3 +150,9 @@ def test_replacement_char_prefix_does_not_hide_traversal():
         detect_path_traversal(replacement * 3 + traversal, replacement * 3 + traversal)
         is True
     )
+
+
+def test_case_insensitive_path_containment():
+    assert detect_path_traversal("/etc/passwd", "/ETC/passwd") is True
+    assert detect_path_traversal("/etc/passwd", "/ETC/PASSWD") is True
+    assert detect_path_traversal("/home/user/file.txt", "/HOME/USER/file.txt") is True