Avoid allowing access to unintended directories or files This product is not supported for your selected
Datadog site . (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter .
TRY THIS RULE ID: javascript-express/path-traversal
Language: JavaScript
Severity: Warning
Category: Security
CWE : 22
Description By not sanitizing user input prior to using it in path resolution methods you open your application’s access to unintended directories and files.
If you’re using replace on a user input, this rule will assume you’ve done so correctly and will not report a violation
Learn More Non-Compliant Code Examples const path = require ( "path" );
app . get ( "/" , ( req , res ) => {
path . join ( "/user/" , req . params . path )
var pathname = path . join ( "/public/" , req . body . foo )
path . resolve ( pathname )
path . resolve ( __dirname , req . body . foo )
path . resolve ( __dirname , ` ${ req . body . foo } ` )
})
Compliant Code Examples const path = require ( "path" );
app . get ( "/" , ( req , res ) => {
path . join ( "/user/" , req . params . path . replace ( /^(\.\.(\/|\\|$))+/ , '' ))
var pathname = path . join ( "/public/" , req . body . foo . replace ( /^(\.\.(\/|\\|$))+/ , '' ))
path . resolve ( pathname )
path . resolve ( __dirname , req . body . foo . replace ( /^(\.\.(\/|\\|$))+/ , '' ))
path . resolve ( __dirname , ` ${ req . body . foo . replace ( /^(\.\.(\/|\\|$))+/ , '' ) } ` )
})
Seamless integrations. Try Datadog Code Security
