Possible path traversal vulnerability detected.

Rule ID: javascript_express_path_traversal
Languages: javascript
Source: path_traversal.yml

Description

Allowing unsanitized user input in path resolution methods means an attacker could gain access to files and folders outside of the intended scope.

Remediations

❌ Avoid wherever possible

✅ Sanitize user input when resolving paths, for example:

Use replace() to mitigate against unwanted patterns in the path (such as \..\..)
Actively guard against paths that end in "%00" (poison NULL byte attacks)
Use path concatenation to ensure the intended scope is respected

const path = require("path");

app.get("/", (req, res) => {
  if (req.params.path.indexOf('\0')) !== -1 {
    // prevent access
  }

  var folder = req.params.path.replace(/^(\.\.(\/|\\|$))+/, '')

  var pathname = path.join("/public/", folder)
  if pathname.indexOf("/public/") !== 0 {
    // prevent access
  }

  path.resolve(pathname)
})

Resources

OWASP path traversal

Associated CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Top 10

A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_path_traversal

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_path_traversal

Ready to take the next step? Learn more about Bearer Cloud.