EN
Node.js - resolve path and prevent access above parent directory
3
points
In this article, we would like to show simple way how to resolve path and prevent access above parent directory in Node.js.
It is common to resolve paths on server side in web applications. Simetimes it is necessary to send path as a API parameter what may be dangerous. In that case we need to control the parameter that contains .., ../.., ../../.., etc. The solution for the problem is to use resolve()Β and startsWith() methods what was show in the next section.
Practical example
In this section you will find reusable tool that may be used to resolve paths preventing access above parent directory.
script.js file:
const PATH = require('path'); // OR: require('node:path')
const resolvePath = (parent, path) => {
const master = PATH.resolve(parent);
const result = PATH.resolve(master, path);
if (result.startsWith(master)) {
return result;
}
throw new Error('Access to indicated directory is forbidden.');
};
// Usage example:
const publicPath = '/home/john/public'; // We allow to resolve paths only under this location.
// Correct paths:
//
const picturesPath = resolvePath(publicPath, 'pictures'); // β
/home/john/public/pictures
const moviesPath = resolvePath(publicPath, 'movies'); // β
/home/john/public/movies
const musicPath = resolvePath(publicPath, 'music'); // β
/home/john/public/music
// Forbidden paths (they throw IOException: "Access to indicated directory is forbidden."):
//
const forbiddenPath1 = resolvePath(publicPath, '..'); // β /home/john
const forbiddenPath2 = resolvePath(publicPath, '../Desktop'); // β /home/john/Desktop
const forbiddenPath3 = resolvePath(publicPath, '../../..'); // β /
const forbiddenPath4 = resolvePath(publicPath, '../../../etc'); // β /etc
Β
Alternative solution
const PATH = require('path'); // OR: require('node:path')
const resolvePath = (parent, path) => {
const result = PATH.resolve(parent, path);
const relative = PATH.relative(parent, result);
if (relative.startsWith('..')) {
throw new Error('Access to indicated directory is forbidden.');
}
return result;
};
// Usage example:
const publicPath = '/home/john/public'; // We allow to resolve paths only under this location.
// Correct paths:
//
const picturesPath = resolvePath(publicPath, 'pictures'); // β
/home/john/public/pictures
const moviesPath = resolvePath(publicPath, 'movies'); // β
/home/john/public/movies
const musicPath = resolvePath(publicPath, 'music'); // β
/home/john/public/music
// Forbidden paths (they throw IOException: "Access to indicated directory is forbidden."):
//
const forbiddenPath1 = resolvePath(publicPath, '..'); // β /home/john
const forbiddenPath2 = resolvePath(publicPath, '../Desktop'); // β /home/john/Desktop
const forbiddenPath3 = resolvePath(publicPath, '../../..'); // β /
const forbiddenPath4 = resolvePath(publicPath, '../../../etc'); // β /etc
Β
Alternative titles
- Node.js - resolve path and protect access above parent directory
- Node.js - resolve path and block access above parent directory
- Node.js - resolve path and prevent access over parent directory
- Node.js - resolve path and protect access over parent directory
- Node.js - resolve path and block access over parent directory
- Node.js - resolve path and prevent access above base directory