Path Traversal in Actix with Jwt Tokens

Path Traversal occurs when an API endpoint uses user-supplied data to build file system paths without adequate validation or sanitization. In Actix applications that also use JWT tokens for authentication, the combination can expose or amplify the risk if authorization checks rely solely on the presence of a valid token rather than verifying that the requested resource belongs to the authenticated subject.

Consider an endpoint like /files/{filename} that reads files from a base directory. If the handler uses the token’s subject claim to construct a path such as {base_dir}/{subject}/{filename} but does not normalize or validate {filename}, an attacker can supply path sequences like ../../../etc/passwd. Without proper checks, the resolved path can escape the intended subject folder and access arbitrary files on the server. Even when JWT tokens confirm identity, the API may still return sensitive files because the path logic does not enforce ownership boundaries per request.

This becomes a more critical issue when JWT tokens are used but the API does not enforce strict access controls on the filesystem layer. For example, an attacker with a valid token for subject alice could request ../../../bob/private_key.pem if the server na拼接 subject with the user-provided filename. The token itself is not malicious, but the lack of canonicalization and ownership checks allows traversal across directory boundaries, leading to Information Exposure (CWE-22). In such cases, the JWT token identifies the user but does not prevent the traversal because the server trusts the filename input instead of verifying that the resolved path remains within the permitted directory subtree.

In the context of middleBrick’s security checks, this scenario would be flagged under BOLA/IDOR and Input Validation categories. The scanner tests whether path manipulation can escape intended directories and whether authorization is tied to resource ownership rather than mere authentication. Because middleBrick tests the unauthenticated attack surface, it can detect endpoints where traversal is possible even when JWT tokens are required, highlighting gaps in path handling and resource ownership mapping.

To remediate Path Traversal in Actix when JWT tokens are used, ensure that every file operation validates and sanitizes user input and enforces strict ownership based on token claims. Do not rely on the token alone to prevent unauthorized file access; instead, normalize paths and confirm that resolved paths remain within the allowed directory.

Below is a secure example in Actix using the jsonwebtoken crate for validation and the std::path::Path utilities for safe path construction. The handler extracts the subject from the token, joins it with a sanitized filename, and verifies the final path is within the permitted base directory before reading the file.

use actix_web::{web, HttpResponse, Result};
use std::path::{Path, PathBuf};
use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};

async fn get_file(
    token: &str,
    filename: &str,
    base_dir: &str,
) -> Result<HttpResponse> {
    // 1) Validate and decode JWT to extract subject (sub)
    let token_data = decode::