47 lines
1.1 KiB
Plaintext
47 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
const fs = require('fs');
|
|
|
|
function (req, res) {
|
|
const reqPath = __dirname + req.query.filename; // user-controlled path
|
|
|
|
let data = fs.readFileSync(reqPath, { encoding: 'utf8', flag: 'r' }); // Noncompliant
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
const fs = require('fs');
|
|
const pathmodule = require('path');
|
|
|
|
function (req, res) {
|
|
const reqPath = __dirname + req.query.filename; // user-controlled path
|
|
const resolvedPath = pathmodule.resolve(reqPath); // resolve will resolve "../"
|
|
|
|
if (resolvedPath.startsWith(__dirname + '/uploads')) { // the requested filename cannot be retrieved outside of the "/uploads" folder
|
|
let data = fs.readFileSync(resolvedPath, { encoding: 'utf8', flag: 'r' }); // Compliant
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|