Possible path traversal vulnerability detected.
- Rule ID: javascript_express_path_traversal
- Languages: javascript
- Source: path_traversal.yml
Description
Allowing unsanitized user input in path resolution methods means an attacker could gain access to files and folders outside of the intended scope.
Remediations
❌ Avoid wherever possible
✅ Sanitize user input when resolving paths, for example:
- Use
replace()
to mitigate against unwanted patterns in the path (such as\..\..
) - Actively guard against paths that end in "%00" (poison NULL byte attacks)
- Use path concatenation to ensure the intended scope is respected
const path = require("path");
app.get("/", (req, res) => {
if (req.params.path.indexOf('\0')) !== -1 {
// prevent access
}
var folder = req.params.path.replace(/^(\.\.(\/|\\|$))+/, '')
var pathname = path.join("/public/", folder)
if pathname.indexOf("/public/") !== 0 {
// prevent access
}
path.resolve(pathname)
})
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_express_path_traversal
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_express_path_traversal
Ready to take the next step? Learn more about Bearer Cloud.