javascript - does nodejs prevent directorypath traversal by default? - Stack Overflow

admin管理员组

文章数量:1023744

Expressjs's "express.static()" prevents directory/path traversal by default but I thought Nodejs does not have any protection towards directory/path traversal by default?? Recently trying to learn some web development security(directory/path traversal) and I created this:

const http = require("http");
const fs = require("fs");

http
  .createServer(function (req, res) {
    if (req.url === "/") {
      fs.readFile("./public/index.html", "UTF-8", function (err, data) {
        if (err) throw err;
        res.writeHead(200, { "Content-Type": "text/html" });
        res.end(data);
      });
    } else {
      if (req.url === "/favicon.ico") {
        res.writeHead(200, { "Content-Type": "image/ico" });
        res.end("404 file not found");
      } else {  
        fs.readFile(req.url, "utf8", function (err, data) {
          if (err) throw err;
          res.writeHead(200, { "Content-Type": "text/plain" });
          res.end(data);
        });
      }
    }
  })
  .listen(3000);

console.log("The server is running on port 3000");

to simulate directory/path traversal security vulnerability but I tried to use "../../../secret.txt" and when I check "req.url", it shows "/secret.txt" instead of "../../../secret.txt" and I also tried using "%2e" & "%2f", it still doesn't work, I still can't get "secret.txt"

(My folder Structure)

- node_modules
- public
  - css
    - style.css
  - images
    - dog.jpeg
  - js
    - script.js
  index.html
- package.json
- README.md
- server.js
- secret.txt

Expressjs's "express.static()" prevents directory/path traversal by default but I thought Nodejs does not have any protection towards directory/path traversal by default?? Recently trying to learn some web development security(directory/path traversal) and I created this:

const http = require("http");
const fs = require("fs");

http
  .createServer(function (req, res) {
    if (req.url === "/") {
      fs.readFile("./public/index.html", "UTF-8", function (err, data) {
        if (err) throw err;
        res.writeHead(200, { "Content-Type": "text/html" });
        res.end(data);
      });
    } else {
      if (req.url === "/favicon.ico") {
        res.writeHead(200, { "Content-Type": "image/ico" });
        res.end("404 file not found");
      } else {  
        fs.readFile(req.url, "utf8", function (err, data) {
          if (err) throw err;
          res.writeHead(200, { "Content-Type": "text/plain" });
          res.end(data);
        });
      }
    }
  })
  .listen(3000);

console.log("The server is running on port 3000");

to simulate directory/path traversal security vulnerability but I tried to use "../../../secret.txt" and when I check "req.url", it shows "/secret.txt" instead of "../../../secret.txt" and I also tried using "%2e" & "%2f", it still doesn't work, I still can't get "secret.txt"

(My folder Structure)

- node_modules
- public
  - css
    - style.css
  - images
    - dog.jpeg
  - js
    - script.js
  index.html
- package.json
- README.md
- server.js
- secret.txt

• javascript
• node.js
• security

Share Improve this question Follow asked Jan 23, 2021 at 14:16 JustANewCoderJustANewCoder 43755 silver badges1515 bronze badges

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 3

As per the documentation of express.static [1], which leads to the docs of the serve-static module [2], the directory you provide is the root directory, meaning it's intentionally made impossible to access anything outside of it.

To serve static files such as images, CSS files, and JavaScript files, use the express.static built-in middleware function in Express.

The function signature is:

express.static(root, [options])

The root argument specifies the root directory from which to serve static assets. For more information on the options argument, see express.static. [3]

[1] https://expressjs./en/starter/static-files.html

[2] https://expressjs./en/resources/middleware/serve-static.html#API

[3] https://expressjs./en/4x/api.html#express.static

---

Not related, but fyi: the path you're providing to fs etc. is relative to where the script is called from.

For example, if you call node server.js from the root folder of the application, the path "./public/index.html" should work fine, but if you're calling it from a different path, it will fail, e.g. node /home/user/projects/this-project/server.js.

Thus, you should always join the path with __dirname, like so:

+const path = require("path");

-fs.readFile("./public/index.html", "UTF-8", function (err, data) {
+fs.readFile(path.join(__dirname, "./public/index.html"), "UTF-8", function (err, data) {
}

this makes the path relative to the directory of the current file you're trying to access it from, which is what you expect.

Expressjs's "express.static()" prevents directory/path traversal by default but I thought Nodejs does not have any protection towards directory/path traversal by default?? Recently trying to learn some web development security(directory/path traversal) and I created this:

const http = require("http");
const fs = require("fs");

http
  .createServer(function (req, res) {
    if (req.url === "/") {
      fs.readFile("./public/index.html", "UTF-8", function (err, data) {
        if (err) throw err;
        res.writeHead(200, { "Content-Type": "text/html" });
        res.end(data);
      });
    } else {
      if (req.url === "/favicon.ico") {
        res.writeHead(200, { "Content-Type": "image/ico" });
        res.end("404 file not found");
      } else {  
        fs.readFile(req.url, "utf8", function (err, data) {
          if (err) throw err;
          res.writeHead(200, { "Content-Type": "text/plain" });
          res.end(data);
        });
      }
    }
  })
  .listen(3000);

console.log("The server is running on port 3000");

to simulate directory/path traversal security vulnerability but I tried to use "../../../secret.txt" and when I check "req.url", it shows "/secret.txt" instead of "../../../secret.txt" and I also tried using "%2e" & "%2f", it still doesn't work, I still can't get "secret.txt"

(My folder Structure)

- node_modules
- public
  - css
    - style.css
  - images
    - dog.jpeg
  - js
    - script.js
  index.html
- package.json
- README.md
- server.js
- secret.txt

Expressjs's "express.static()" prevents directory/path traversal by default but I thought Nodejs does not have any protection towards directory/path traversal by default?? Recently trying to learn some web development security(directory/path traversal) and I created this:

const http = require("http");
const fs = require("fs");

http
  .createServer(function (req, res) {
    if (req.url === "/") {
      fs.readFile("./public/index.html", "UTF-8", function (err, data) {
        if (err) throw err;
        res.writeHead(200, { "Content-Type": "text/html" });
        res.end(data);
      });
    } else {
      if (req.url === "/favicon.ico") {
        res.writeHead(200, { "Content-Type": "image/ico" });
        res.end("404 file not found");
      } else {  
        fs.readFile(req.url, "utf8", function (err, data) {
          if (err) throw err;
          res.writeHead(200, { "Content-Type": "text/plain" });
          res.end(data);
        });
      }
    }
  })
  .listen(3000);

console.log("The server is running on port 3000");

to simulate directory/path traversal security vulnerability but I tried to use "../../../secret.txt" and when I check "req.url", it shows "/secret.txt" instead of "../../../secret.txt" and I also tried using "%2e" & "%2f", it still doesn't work, I still can't get "secret.txt"

(My folder Structure)

- node_modules
- public
  - css
    - style.css
  - images
    - dog.jpeg
  - js
    - script.js
  index.html
- package.json
- README.md
- server.js
- secret.txt

• javascript
• node.js
• security

Share Improve this question Follow asked Jan 23, 2021 at 14:16 JustANewCoderJustANewCoder 43755 silver badges1515 bronze badges

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 3

As per the documentation of express.static [1], which leads to the docs of the serve-static module [2], the directory you provide is the root directory, meaning it's intentionally made impossible to access anything outside of it.

To serve static files such as images, CSS files, and JavaScript files, use the express.static built-in middleware function in Express.

The function signature is:

express.static(root, [options])

The root argument specifies the root directory from which to serve static assets. For more information on the options argument, see express.static. [3]

[1] https://expressjs./en/starter/static-files.html

[2] https://expressjs./en/resources/middleware/serve-static.html#API

[3] https://expressjs./en/4x/api.html#express.static

---

Not related, but fyi: the path you're providing to fs etc. is relative to where the script is called from.

For example, if you call node server.js from the root folder of the application, the path "./public/index.html" should work fine, but if you're calling it from a different path, it will fail, e.g. node /home/user/projects/this-project/server.js.

Thus, you should always join the path with __dirname, like so:

+const path = require("path");

-fs.readFile("./public/index.html", "UTF-8", function (err, data) {
+fs.readFile(path.join(__dirname, "./public/index.html"), "UTF-8", function (err, data) {
}

this makes the path relative to the directory of the current file you're trying to access it from, which is what you expect.

本文标签： javascriptdoes nodejs prevent directorypath traversal by defaultStack Overflow