/Code Review/Path Traversal in File Download

Path Traversal in File Download

File path from user input allows directory traversal to access unauthorized files.

HIGHEasy

Vulnerable Codejavascript

1const express = require('express');
2const path = require('path');
3
4app.get('/download', (req, res) => {
5    const filename = req.query.file;
6    const filepath = path.join('/var/app/uploads', filename);
7    res.download(filepath);
8});

Understanding the Issue

The filename from user input is used directly in file operations. An attacker can use ../ sequences to traverse outside the intended directory and access sensitive system files like /etc/passwd, configuration files, or source code.

Directory Traversal Attack

Attacker uses ../ to escape the uploads directory

Malicious Input

GET /download?file=../../../etc/passwd
GET /download?file=....//....//etc/passwd
GET /download?file=..%2F..%2F..%2Fetc%2Fpasswd

Impact

Resolved path: /etc/passwd

File contents returned:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

✓ Attacker can read any file on server

Technical Details

Vulnerability Type: Path Traversal
Severity: HIGH
Language: Javascript
CWE: CWE-22
OWASP: A01:2021 - Broken Access Control

Path Traversal in File Download

Understanding the Issue

How Attackers Exploit This

Directory Traversal Attack

Finding the Vulnerability(3 hints)

Technical Details

Path Traversal in File Download

Understanding the Issue

How Attackers Exploit This

Directory Traversal Attack

Finding the Vulnerability(3 hints)

Technical Details