Problem with directory traversal/path traversal

Mr.Rdcti186h · January 22, 2021, 8:53am

(nodejs/expressjs) I don’t know when I need to worry about this problem and apply protection to prevent this problem…

Do I always need to watch out for directory traversal/path traversal security problem every time when I am developing back end or only when I am doing some specific things(one example I can think of is using user input data to get a file in my server…)?
In expressjs, “express.static()” prevents directory traversal/path traversal by default, what about if I am creating an API(front end is using reactjs), how do I prevent directory traversal/path traversal for my API routes?

Marmiz · January 22, 2021, 9:11am

1 - I tend to always worry about running “user input” data.
So in a sense yes, if you are writing server side code that accepts a user input path, sanitize it and make all the possible checks before blindly using it.

For example node offers a path.normalize function, you can use it to parse and verify the input against your security checks.

2 - Same as above, check the input, if it’s not within your constrains, send back an error.

There’s a great repo with lots of tips for node.js called Node best practices, maybe it can helps.

Mr.Rdcti186h · January 22, 2021, 1:01pm

So… directory traversal/path traversal security problem is always coming from user input data ? So basically if I always validate and sanitize my user input data, I don’t need to worry about directory traversal/path traversal security problem?

nhcarrigan · January 22, 2021, 3:41pm

For the most part, yes. A common directory traversal attack vector is through a GET route that is set up to return a file - for example, if you have a blog site and you set up a route that returns a post based on a filename parameter, then I could send a GET request to that route like: https://yoursite.com/api/get-post?filename=../../../../.env and if your code is written to send back the file located at /files/${filename} I could potentially get back your secret file.

Some good ways to prevent this are things like:

Strip any path separators from the request (so, remove things like ./ and ../) before building your filepath
Validate that the filepath points to the correct directory for content before sending back files.

Security is a complicated and tricky thing, and there are always new “gotchas” to look out for.

Mr.Rdcti186h · January 22, 2021, 4:22pm

So looks like directory traversal/path traversal attack is more likely going to happen if I am dealing with sending file back to the client, so if I am only dealing with sending data(like data from database), I don’t need to worry about directory traversal/path traversal attack?
(Example of sending data from database back to client)
```
app.post('/api/:name', (req, res, next)=>{
     const productName = req.params.name;
     const productDetails = getProductDetailsFromDB(productName );
     res.send({
       productDetails 
     });
});
```
What about when I am serving static files or using a template engine like ejs at the back end, I also need to watch out for directory traversal/path traversal attacks right?(I know that expressjs’s “express.static()” prevent the attack but if I am using nodejs without any frameworks, I need to implement my own protection right?)

am I correct for both questions?

thank you

Mr.Rdcti186h · January 23, 2021, 7:40am

After some research on the internet and read some articles/posts about directory traversal/path traversal security problem, I still don’t quite get when I need to watch out for this kind of security problem, should I always need to watch out for this kind of security problem when I am developing a back-end or only when I am doing/implementing certain things/features?