Add /app and /code as unsafe path starts

bitterpanda63 · bitterpanda63 · commit 6401dce40d7b · 2026-02-10T15:04:24.000+01:00
diff --git a/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal_test.py b/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal_test.py
@@ -68,6 +68,8 @@ def test_user_input_is_longer_than_file_path():
 
 def test_absolute_linux_path():
     assert detect_path_traversal("/etc/passwd", "/etc/passwd") is True
+    assert detect_path_traversal("/home/binaries/test", "/home/binaries") is True
+    assert detect_path_traversal("/app/.env", "/app/.env") is True
 
 
 def test_linux_user_directory():
diff --git a/aikido_zen/vulnerabilities/path_traversal/unsafe_path_start.py b/aikido_zen/vulnerabilities/path_traversal/unsafe_path_start.py
@@ -20,6 +20,9 @@
     "/tmp/",
     "/usr/",
     "/var/",
+    # More common in docker apps :
+    "/app/",
+    "/code/",
 ]
 
 # List of dangerous path starts, including Windows paths

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,9 @@`
`20`	`20`	`"/tmp/",`
`21`	`21`	`"/usr/",`
`22`	`22`	`"/var/",`
	`23`	`+ # More common in docker apps :`
	`24`	`+ "/app/",`
	`25`	`+ "/code/",`
`23`	`26`	`]`
`24`	`27`
`25`	`28`	`# List of dangerous path starts, including Windows paths`