From 0cb2c1a0fa8ed27763427576b053d619c0d55cb7 Mon Sep 17 00:00:00 2001
From: bitterpanda <bitterpanda@proton.me>
Date: Mon, 1 Jun 2026 14:59:58 +0200
Subject: [PATCH] Make path traversal containment check case-insensitive

---
 .../vulnerabilities/path_traversal/detect_path_traversal.py | 2 +-
 .../path_traversal/detect_path_traversal_test.py            | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal.py b/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal.py
index 26f31cbb4..13f32fcfa 100644
--- a/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal.py
+++ b/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal.py
@@ -28,7 +28,7 @@ def detect_path_traversal(file_path, user_input, check_path_start=True, is_url=F
         # Because the user input can't be part of the file path.
         return False
 
-    if user_input not in file_path:
+    if user_input.lower() not in file_path.lower():
         # We ignore cases where the user input is not part of the file path.
         return False
 
diff --git a/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal_test.py b/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal_test.py
index f627e3754..5a2c18926 100644
--- a/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal_test.py
+++ b/aikido_zen/vulnerabilities/path_traversal/detect_path_traversal_test.py
@@ -150,3 +150,9 @@ def test_replacement_char_prefix_does_not_hide_traversal():
         detect_path_traversal(replacement * 3 + traversal, replacement * 3 + traversal)
         is True
     )
+
+
+def test_case_insensitive_path_containment():
+    assert detect_path_traversal("/etc/passwd", "/ETC/passwd") is True
+    assert detect_path_traversal("/etc/passwd", "/ETC/PASSWD") is True
+    assert detect_path_traversal("/home/user/file.txt", "/HOME/USER/file.txt") is True