Unsanitized user input in HTTP send file request

• Rule ID: javascript_express_external_file_upload
• Languages: javascript
• Source: external_file_upload.yml

Description

Using unsanitized user input in the sendFile API call exposes your application to path manipulation attacks. This vulnerability allows attackers to access files and resources they shouldn't be able to, by manipulating file paths in requests.

Remediations

• Do set the root option to an absolute path to a directory when using sendFile. This confines the accessible files to a specific directory, preventing attackers from accessing files outside of this directory.

  app.post("/upload", (req, res) => {
    var options = {
      root: path.join(__dirname, "upload")
    };
    res.sendFile(req.params.filename, options);
  });

References

• Express sendFile API reference

Associated CWE

• CWE-73: External Control of File Name or Path

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_external_file_upload

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_external_file_upload