Preventing Directory Traversal Attacks in Symfony Framework

Directory traversal vulnerabilities are one of the most common attack vectors that hackers use to access sensitive files on web servers. In this blog, we’ll explore how directory traversal attacks work in Symfony, how you can identify and prevent them, and how to use our website vulnerability scanner online to secure your applications.

Symfony is a widely used PHP framework with powerful routing and file-handling capabilities. However, improper input validation in file paths can expose your application to directory traversal attacks.

🚨 What is a Directory Traversal Attack?

Directory traversal (also known as path traversal) is a type of vulnerability where an attacker can access files and directories outside of the intended folder. This typically happens when an application does not properly sanitize user input in file paths.

For example:

http://example.com/download.php?file=../../../../etc/passwd

If your application directly uses this input to read files from the filesystem, it may expose sensitive server files.

📦 How Symfony Handles File Access

Let’s take a look at a basic Symfony controller that reads files from a directory:

// src/Controller/DownloadController.php

namespace App\Controller;

use Symfony\Component\HttpFoundation\Response;

use Symfony\Component\Routing\Annotation\Route;

class DownloadController

{

    /**

     * @Route("/download", name="download_file")

     */

    public function downloadFile($filename): Response

    {

        $filePath = '/var/www/project/files/' . $filename;

        if (!file_exists($filePath)) {

            return new Response('File not found!', 404);

        }

        return new Response(file_get_contents($filePath));

    }

}

Looks simple—but also dangerous. If filename is not validated, it can allow traversal like ../../etc/passwd.

✅ How to Prevent Directory Traversal in Symfony

1. Sanitize File Input

Use Symfony’s Filesystem and built-in validation to ensure the file stays within the intended directory.

use Symfony\Component\Filesystem\Filesystem;

use Symfony\Component\HttpFoundation\Request;

public function downloadFile(Request $request): Response

{

    $filename = basename($request->query->get('file'));

    $baseDir = '/var/www/project/files/';

    $filePath = realpath($baseDir . $filename);

    if (strpos($filePath, realpath($baseDir)) !== 0) {

        return new Response('Invalid file path!', 400);

    }

    if (!file_exists($filePath)) {

        return new Response('File not found!', 404);

    }

    return new Response(file_get_contents($filePath));

}

2. Use Symfony's FileLocator (Safer Alternative)

use Symfony\Component\Config\FileLocator;

$locator = new FileLocator([__DIR__.'/../../files']);

$file = $locator->locate($filename, null, false);

This class helps resolve paths securely within a restricted directory.

🛡️ Test Your Symfony App for Directory Traversal

Before deploying, it’s crucial to test your website for vulnerabilities.

📸 Screenshot: Free Website Security Checker homepage

You can use our Website Vulnerability Scanner to instantly scan your website for directory traversal flaws and other critical vulnerabilities.

Screenshot of the free tools webpage where you can access security assessment tools.