Possible path traversal vulnerability detected.
- Rule ID: javascript_express_path_traversal
- Languages: javascript
- Source: path_traversal.yml
Description
Allowing unsanitized user input in path resolution methods means an attacker could gain access to files and folders outside of the intended scope.
Remediations
❌ Avoid wherever possible
✅ Sanitize user input when resolving paths, for example:
- Use
replace()to mitigate against unwanted patterns in the path (such as\..\..) - Actively guard against paths that end in "%00" (poison NULL byte attacks)
- Use path concatenation to ensure the intended scope is respected
const path = require("path");
app.get("/", (req, res) => {
if (req.params.path.indexOf('\0')) !== -1 {
// prevent access
}
var folder = req.params.path.replace(/^(\.\.(\/|\\|$))+/, '')
var pathname = path.join("/public/", folder)
if pathname.indexOf("/public/") !== 0 {
// prevent access
}
path.resolve(pathname)
})