Improper handling of file paths can lead to security vulnerabilities known as directory traversal attacks. These vulnerabilities allow an attacker to access arbitrary files on the server.
What is a Directory Traversal Attack?
A directory traversal attack occurs when an attacker manipulates file paths to access files outside the intended directory. For instance, if an application uses a user-provided file path without validation, an attacker could use a path like ../../etc/passwd to access sensitive files on the server.
Example of a Directory Traversal Attack:
- Vulnerable Code:
const filePath = `public/uploads/${req.params.fileName}`;
Imagine you have a file download function that allows users to download files by providing an id. The application might construct the file path directly from the user input.
- Malicious Input:
/public/uploads/../../secret.txt
Here an attacker could provide a malicious input like ../../secret.txt, leading to an unintended file access.
- Consequences:
If the application does not validate this input, it could expose sensitive files, such as configuration files or user data, to the attacker.
Example of preventing such kind of attacks
import path from 'path';
import fs from 'fs/promises';
import { RequestHandler, NextFunction } from 'express';
// Point: 1
const BASE_DIRECTORY = path.resolve(__dirname, 'public/uploads');
export const downloadAttachment: RequestHandler = async (req, res, next: NextFunction) => {
// Point: 2
const { fileName } = req.params;
// Point: 3
const filePath = path.join(BASE_DIRECTORY, fileName);
const resolvedPath = path.resolve(filePath);
// Point: 4
if (!resolvedPath.startsWith(BASE_DIRECTORY)) {
return res.status(400).json({ message: "Invalid file path" });
}
try {
// Point: 5
await fs.access(resolvedPath);
// Point: 6
res.download(resolvedPath, path.basename(fileName), (err) => {
if (err) {
return next(err);
}
});
} catch {
// Point: 7
return res.status(404).json({ message: "File not found" });
}
};
Key Points Explained:
Base Directory Definition: Establishes a fixed directory for file uploads to restrict access.
Extracting File Name: Retrieves the requested file name from the URL parameters.
File Path Construction: Combines the base directory with the requested file name to create a full path.
Path Validation: Ensures that the resolved file path is within the designated base directory to prevent unauthorized access.
File Existence Check: Asynchronously checks if the file exists at the constructed path.
File Download Handling: Initiates the file download and handles any errors that may occur during the process.
Error Handling for Missing Files: Sends a 404 response if the requested file does not exist.
Acknowledgment: This document references information from PortSwigger Web Security and ChatGPT.
The above is the detailed content of Securing File Paths: Preventing Directory Traversal Attacks. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Java vs. JavaScript: Clearing Up the Confusion
Jun 20, 2025 am 12:27 AM
Java and JavaScript are different programming languages, each suitable for different application scenarios. Java is used for large enterprise and mobile application development, while JavaScript is mainly used for web page development.
Javascript Comments: short explanation
Jun 19, 2025 am 12:40 AM
JavaScriptcommentsareessentialformaintaining,reading,andguidingcodeexecution.1)Single-linecommentsareusedforquickexplanations.2)Multi-linecommentsexplaincomplexlogicorprovidedetaileddocumentation.3)Inlinecommentsclarifyspecificpartsofcode.Bestpractic
How to work with dates and times in js?
Jul 01, 2025 am 01:27 AM
The following points should be noted when processing dates and time in JavaScript: 1. There are many ways to create Date objects. It is recommended to use ISO format strings to ensure compatibility; 2. Get and set time information can be obtained and set methods, and note that the month starts from 0; 3. Manually formatting dates requires strings, and third-party libraries can also be used; 4. It is recommended to use libraries that support time zones, such as Luxon. Mastering these key points can effectively avoid common mistakes.
Why should you place tags at the bottom of the ?
Jul 02, 2025 am 01:22 AM
PlacingtagsatthebottomofablogpostorwebpageservespracticalpurposesforSEO,userexperience,anddesign.1.IthelpswithSEObyallowingsearchenginestoaccesskeyword-relevanttagswithoutclutteringthemaincontent.2.Itimprovesuserexperiencebykeepingthefocusonthearticl
JavaScript vs. Java: A Comprehensive Comparison for Developers
Jun 20, 2025 am 12:21 AM
JavaScriptispreferredforwebdevelopment,whileJavaisbetterforlarge-scalebackendsystemsandAndroidapps.1)JavaScriptexcelsincreatinginteractivewebexperienceswithitsdynamicnatureandDOMmanipulation.2)Javaoffersstrongtypingandobject-orientedfeatures,idealfor
JavaScript: Exploring Data Types for Efficient Coding
Jun 20, 2025 am 12:46 AM
JavaScripthassevenfundamentaldatatypes:number,string,boolean,undefined,null,object,andsymbol.1)Numbersuseadouble-precisionformat,usefulforwidevaluerangesbutbecautiouswithfloating-pointarithmetic.2)Stringsareimmutable,useefficientconcatenationmethodsf
What is event bubbling and capturing in the DOM?
Jul 02, 2025 am 01:19 AM
Event capture and bubble are two stages of event propagation in DOM. Capture is from the top layer to the target element, and bubble is from the target element to the top layer. 1. Event capture is implemented by setting the useCapture parameter of addEventListener to true; 2. Event bubble is the default behavior, useCapture is set to false or omitted; 3. Event propagation can be used to prevent event propagation; 4. Event bubbling supports event delegation to improve dynamic content processing efficiency; 5. Capture can be used to intercept events in advance, such as logging or error processing. Understanding these two phases helps to accurately control the timing and how JavaScript responds to user operations.
What's the Difference Between Java and JavaScript?
Jun 17, 2025 am 09:17 AM
Java and JavaScript are different programming languages. 1.Java is a statically typed and compiled language, suitable for enterprise applications and large systems. 2. JavaScript is a dynamic type and interpreted language, mainly used for web interaction and front-end development.
