JavaScript Non-Literal Filesystem Filename

What it is

The JavaScript application uses dynamic or user-controlled input to construct filesystem paths for file operations, potentially leading to path traversal attacks. This vulnerability allows attackers to access files outside the intended directory structure, potentially reading sensitive files or overwriting critical system files.

// Vulnerable: User input directly in file path
const fs = require('fs');
const path = require('path');

app.get('/download/:filename', (req, res) => {
  const filename = req.params.filename;
  
  // Dangerous: User-controlled filename
  const filePath = path.join(__dirname, 'uploads', filename);
  
  fs.readFile(filePath, (err, data) => {
    if (err) {
      return res.status(404).send('File not found');
    }
    res.send(data);
  });
});

// Secure: Path validation and sanitization
const fs = require('fs');
const path = require('path');

const UPLOAD_DIR = path.resolve(__dirname, 'uploads');
const ALLOWED_EXTENSIONS = ['.txt', '.pdf', '.jpg', '.png'];

app.get('/download/:filename', (req, res) => {
  const filename = req.params.filename;
  
  // Validate filename format
  if (!/^[a-zA-Z0-9._-]+$/.test(filename)) {
    return res.status(400).json({ error: 'Invalid filename' });
  }
  
  // Check file extension
  const ext = path.extname(filename).toLowerCase();
  if (!ALLOWED_EXTENSIONS.includes(ext)) {
    return res.status(400).json({ error: 'File type not allowed' });
  }
  
  // Resolve and validate path
  const filePath = path.resolve(UPLOAD_DIR, filename);
  
  // Ensure file is within upload directory
  if (!filePath.startsWith(UPLOAD_DIR)) {
    return res.status(400).json({ error: 'Invalid file path' });
  }
  
  fs.readFile(filePath, (err, data) => {
    if (err) {
      return res.status(404).json({ error: 'File not found' });
    }
    res.send(data);
  });
});

Why it happens

Node.js applications construct file paths using user-controlled input without validation: fs.readFile(req.query.filename, callback) or fs.writeFile('/uploads/' + req.body.name, data). Attackers provide path traversal sequences like '../../../etc/passwd' to access files outside intended directory. User input from req.query, req.params, req.body, or file upload names gets directly concatenated into file paths. Applications assume users provide only legitimate filenames without considering malicious input. Path traversal allows reading sensitive files (configuration, credentials, source code), overwriting critical files, or accessing other users' data in multi-tenant applications. Even seemingly safe operations like reading uploaded files become vulnerable when filenames aren't validated.

Fixes

Related Vulnerabilities