/Code Review/Path Traversal with Partial Sanitization

Path Traversal with Partial Sanitization

Incomplete path sanitization that can be bypassed with double encoding or nested sequences.

HIGHMedium

Vulnerable Codejavascript

1const express = require('express');
2const path = require('path');
3const fs = require('fs');
4
5app.get('/files/:filename', (req, res) => {
6    let filename = req.params.filename;
7    
8    // "Sanitize" by removing ../
9    filename = filename.replace('../', '');
10    
11    const filepath = path.join('/var/app/data', filename);
12    
13    if (fs.existsSync(filepath)) {
14        res.sendFile(filepath);
15    } else {
16        res.status(404).send('File not found');
17    }
18});

Understanding the Issue

String.replace() only removes the first occurrence. Attackers use nested sequences (....//), double encoding (%252e%252e/), or mixed encoding to bypass.

Nested Traversal Bypass

Use nested sequences to bypass single replace

Malicious Input

....//....//etc/passwd
..././..././etc/passwd
..%2F..%2Fetc/passwd

Impact

After replace: ../etc/passwd - still traverses!

Technical Details

Vulnerability Type: Path Traversal (Filter Bypass)
Severity: HIGH
Language: Javascript
CWE: CWE-22
OWASP: A01:2021 - Broken Access Control

Path Traversal with Partial Sanitization

Understanding the Issue

How Attackers Exploit This

Nested Traversal Bypass

Finding the Vulnerability(3 hints)

Technical Details

Path Traversal with Partial Sanitization

Understanding the Issue

How Attackers Exploit This

Nested Traversal Bypass

Finding the Vulnerability(3 hints)

Technical Details