Path Traversal
User input used in a file-system path escapes the intended directory via ../ or encoded variants. Arcis strips traversal sequences and rejects path-encoded payloads at the request boundary.
What it catches
- Bare traversal:
../,..\\ - Encoded once:
%2e%2e%2f,%2e%2e/ - Double-encoded:
%252e%252e%252f - Unicode lookalikes:
..(fullwidth dots, closed by NFKC in v1.6) - Mixed slashes:
..\/..,....// - Null byte injection:
file.png\0../etc/passwd - Windows reserved names:
CON,NUL,COM1-9,LPT1-9
Sample payload
// Before (file param)
"../../../etc/passwd"
// After (sanitize)
"etc/passwd"
// In block mode: 403, vector=path, rule=patterns.path.traversalConfiguration
app.use(arcis({
block: true,
sanitize: { path: { enabled: true } }
}));Disable or dry-run
app.get('/admin/file-browser', arcis({ sanitize: { path: false } }), handler);References
Defense-in-depth. Use path.resolve() + a startsWith() check against your safe root as your primary defense. Whitelist file extensions where possible. Arcis catches the obvious cases; the resolved-path check catches everything.