include::../description.adoc[]

== Noncompliant Code Example

----
const fs = require('fs');

function (req, res) {
  const reqPath = __dirname + req.query.filename; // user-controlled path

  let data = fs.readFileSync(reqPath, { encoding: 'utf8', flag: 'r' }); // Noncompliant
}
----

== Compliant Solution

----
const fs = require('fs');
const pathmodule = require('path');

function (req, res) {
  const reqPath = __dirname + req.query.filename; // user-controlled path
  const resolvedPath = pathmodule.resolve(reqPath); // resolve will resolve "../"

  if (resolvedPath.startsWith(__dirname + '/uploads')) { // the requested filename cannot be retrieved outside of the "/uploads" folder
    let data = fs.readFileSync(resolvedPath, { encoding: 'utf8', flag: 'r' }); // Compliant
  }
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]