Path traversal attack in Node.js

Cyber Security, Node.js / March 17, 2022 / sumitsuthar94 / 0

Introduction

Path traversal attack, also known as directory traversal attack, is a common security vulnerability that allows an attacker to access files outside of the intended directory or to execute arbitrary code by manipulating user input. In Node.js, path traversal attacks can occur when user input is used to construct file paths without proper validation or sanitization.

Here is an example of how a path traversal attack can occur in a Node.js application:

const express = require('express');
const app = express();
const fs = require('fs');

app.get('/download', (req, res) => {
    const fileName = req.query.file;
    fs.readFile(`./uploads/${fileName}`, (err, data) => {
        if (err) {
            res.status(404).send('File not found');
        } else {
            res.send(data);
        }
    });
});

app.listen(3000, () => {
    console.log('Server started on port 3000');
});

In this example, we have an endpoint /download that allows a user to download a file from the uploads directory by passing the file name as a query parameter. However, the code does not validate or sanitize the file name before using it to construct the file path. This makes the application vulnerable to path traversal attacks, where an attacker can manipulate the file parameter to access files outside of the intended directory.

For example, an attacker can send a malicious request like http://localhost:3000/download?file=../config/config.json, which would result in the following file path being constructed:

./uploads/../config/config.json

This path traversal attack would allow the attacker to access the config.json file outside of the uploads directory, which could contain sensitive information like database credentials or API keys.

To prevent path traversal attacks in Node.js, it’s important to validate and sanitize user input before using it to construct file paths. One way to do this is to use a regular expression to match and remove any ../ sequences from the file name before constructing the file path. Here’s an example of how to prevent path traversal attacks in the above example:

app.get('/download', (req, res) => {
    const fileName = req.query.file.replace(/\.\.\//g, '');
    fs.readFile(`./uploads/${fileName}`, (err, data) => {
        if (err) {
            res.status(404).send('File not found');
        } else {
            res.send(data);
        }
    });
});

In this modified example, we use a regular expression to replace any ../ sequences in the file name with an empty string before constructing the file path. This ensures that the file path is properly validated and prevents path traversal attacks from occurring.

cyber attack, cyber security, cyber-security, directory traversal, javascript, node.js, nodejs, path traversal