Unsanitized user input in file path

• Rule ID: javascript_express_path_traversal
• Languages: javascript
• Source: path_traversal.yml

Description

Allowing unsanitized user input in path resolution methods means an attacker could gain access to files and folders outside of the intended scope.

Remediations

❌ Avoid wherever possible

✅ Sanitize user input when resolving paths, for example:

• Use replace() to mitigate against unwanted patterns in the path (such as \..\..)
• Actively guard against paths that end in "%00" (poison NULL byte attacks)
• Use path concatenation to ensure the intended scope is respected

const path = require("path");

app.get("/", (req, res) => {
  if (req.params.path.indexOf('\0')) !== -1 {
    // prevent access
  }

  var folder = req.params.path.replace(/^(\.\.(\/|\\|$))+/, '')

  var pathname = path.join("/public/", folder)
  if pathname.indexOf("/public/") !== 0 {
    // prevent access
  }

  path.resolve(pathname)
})

Resources

• OWASP path traversal

Associated CWE

• CWE-73: External Control of File Name or Path

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_path_traversal

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_path_traversal