EN
Node.js - resolve path and prevent access above parent directory
3 points
In this article, we would like to show simple way how to resolve path and prevent access above parent directory in Node.js.
It is common to resolve paths on server side in web applications. Simetimes it is necessary to send path as a API parameter what may be dangerous. In that case we need to control the parameter that contains .., ../.., ../../.., etc. The solution for the problem is to use resolve() and startsWith() methods what was show in the next section.
In this section you will find reusable tool that may be used to resolve paths preventing access above parent directory.
script.js file:
xxxxxxxxxx1
const PATH = require('path'); // OR: require('node:path')2
3
const resolvePath = (parent, path) => {4
const master = PATH.resolve(parent);5
const result = PATH.resolve(master, path);6
if (result.startsWith(master)) {7
return result;8
}9
throw new Error('Access to indicated directory is forbidden.');10
};11
12
13
14
// Usage example:15
16
const publicPath = '/home/john/public'; // We allow to resolve paths only under this location.17
18
// Correct paths:19
//20
const picturesPath = resolvePath(publicPath, 'pictures'); // ✅ /home/john/public/pictures21
const moviesPath = resolvePath(publicPath, 'movies'); // ✅ /home/john/public/movies22
const musicPath = resolvePath(publicPath, 'music'); // ✅ /home/john/public/music23
24
// Forbidden paths (they throw IOException: "Access to indicated directory is forbidden."):25
//26
const forbiddenPath1 = resolvePath(publicPath, '..'); // ❌ /home/john27
const forbiddenPath2 = resolvePath(publicPath, '../Desktop'); // ❌ /home/john/Desktop28
const forbiddenPath3 = resolvePath(publicPath, '../../..'); // ❌ /29
const forbiddenPath4 = resolvePath(publicPath, '../../../etc'); // ❌ /etc
xxxxxxxxxx1
const PATH = require('path'); // OR: require('node:path')2
3
const resolvePath = (parent, path) => {4
const result = PATH.resolve(parent, path);5
const relative = PATH.relative(parent, result);6
if (relative.startsWith('..')) {7
throw new Error('Access to indicated directory is forbidden.');8
}9
return result;10
};11
12
13
14
// Usage example:15
16
const publicPath = '/home/john/public'; // We allow to resolve paths only under this location.17
18
// Correct paths:19
//20
const picturesPath = resolvePath(publicPath, 'pictures'); // ✅ /home/john/public/pictures21
const moviesPath = resolvePath(publicPath, 'movies'); // ✅ /home/john/public/movies22
const musicPath = resolvePath(publicPath, 'music'); // ✅ /home/john/public/music23
24
// Forbidden paths (they throw IOException: "Access to indicated directory is forbidden."):25
//26
const forbiddenPath1 = resolvePath(publicPath, '..'); // ❌ /home/john27
const forbiddenPath2 = resolvePath(publicPath, '../Desktop'); // ❌ /home/john/Desktop28
const forbiddenPath3 = resolvePath(publicPath, '../../..'); // ❌ /29
const forbiddenPath4 = resolvePath(publicPath, '../../../etc'); // ❌ /etc
Alternative titles
- Node.js - resolve path and protect access above parent directory
- Node.js - resolve path and block access above parent directory
- Node.js - resolve path and prevent access over parent directory
- Node.js - resolve path and protect access over parent directory
- Node.js - resolve path and block access over parent directory
- Node.js - resolve path and prevent access above base directory
