Unsanitized user input in HTTP send file request

• Rule ID: javascript_express_external_file_upload
• Languages: javascript
• Source: external_file_upload.yml

Description

Passing unsanitized user input to the sendFile API is bad practice and can lead to path manipulation, by which attackers can gain access to resources and data outside of the intended scope.

Remediations

✅ Set the root option to be an absolute path to a directory

app.post("/upload", (req, res) => {
  var options = {
    root: path.join(__dirname, "upload")
  }
  res.sendFile(req.params.filename, options)
}

Resources

• Express sendFile API reference

Associated CWE

• CWE-73: External Control of File Name or Path

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_external_file_upload

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_external_file_upload