Problem with directory traversal/path traversal

(nodejs/expressjs) I don’t know when I need to worry about this problem and apply protection to prevent this problem…

  1. Do I always need to watch out for directory traversal/path traversal security problem every time when I am developing back end or only when I am doing some specific things(one example I can think of is using user input data to get a file in my server…)?

  2. In expressjs, “express.static()” prevents directory traversal/path traversal by default, what about if I am creating an API(front end is using reactjs), how do I prevent directory traversal/path traversal for my API routes?

1 - I tend to always worry about running “user input” data.
So in a sense yes, if you are writing server side code that accepts a user input path, sanitize it and make all the possible checks before blindly using it.

For example node offers a path.normalize function, you can use it to parse and verify the input against your security checks.

2 - Same as above, check the input, if it’s not within your constrains, send back an error.

There’s a great repo with lots of tips for node.js called Node best practices, maybe it can helps.

1 Like

So… directory traversal/path traversal security problem is always coming from user input data ? So basically if I always validate and sanitize my user input data, I don’t need to worry about directory traversal/path traversal security problem?

For the most part, yes. A common directory traversal attack vector is through a GET route that is set up to return a file - for example, if you have a blog site and you set up a route that returns a post based on a filename parameter, then I could send a GET request to that route like: https://yoursite.com/api/get-post?filename=../../../../.env and if your code is written to send back the file located at /files/${filename} I could potentially get back your secret file.

Some good ways to prevent this are things like:

  • Strip any path separators from the request (so, remove things like ./ and ../) before building your filepath
  • Validate that the filepath points to the correct directory for content before sending back files.

Security is a complicated and tricky thing, and there are always new “gotchas” to look out for.

1 Like
  • So looks like directory traversal/path traversal attack is more likely going to happen if I am dealing with sending file back to the client, so if I am only dealing with sending data(like data from database), I don’t need to worry about directory traversal/path traversal attack?
    (Example of sending data from database back to client)

    app.post('/api/:name', (req, res, next)=>{
         const productName = req.params.name;
         const productDetails = getProductDetailsFromDB(productName );
         res.send({
           productDetails 
         });
    });
    
  • What about when I am serving static files or using a template engine like ejs at the back end, I also need to watch out for directory traversal/path traversal attacks right?(I know that expressjs’s “express.static()” prevent the attack but if I am using nodejs without any frameworks, I need to implement my own protection right?)

am I correct for both questions?

thank you :smiley:

After some research on the internet and read some articles/posts about directory traversal/path traversal security problem, I still don’t quite get when I need to watch out for this kind of security problem, should I always need to watch out for this kind of security problem when I am developing a back-end or only when I am doing/implementing certain things/features?