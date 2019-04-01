Resolve a relative path against a root path with validation.

This module would protect against commons attacks like GET /../file.js which reaches outside the root folder.

Installation

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install resolve-path

API

var resolvePath = require ( 'resolve-path' )

Resolve a relative path against process.cwd() (the process's current working directory) and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

The relative path is an absolute path

The relative path contains a NULL byte

The relative path resolves to a path outside of process.cwd()

The relative path traverses above process.cwd() and back down

Resolve a relative path against the provided root path and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

The relative path is an absolute path

The relative path contains a NULL byte

The relative path resolves to a path outside of the root path

The relative path traverses above the root and back down

Example

Safely resolve paths in a public directory

var http = require ( 'http' ) var parseUrl = require ( 'parseurl' ) var path = require ( 'path' ) var resolvePath = require ( 'resolve-path' ) var publicDir = path.join(__dirname, 'public' ) var server = http.createServer( function onRequest ( req, res ) { try { var pathname = decodeURIComponent (parseUrl(req).pathname) if (!pathname) { res.statusCode = 400 res.end( 'path required' ) return } var filename = pathname.substr( 1 ) var fullpath = resolvePath(publicDir, filename) res.statusCode = 200 res.end( 'resolved to ' + fullpath) } catch (err) { res.statusCode = err.status || 500 res.end(err.message) } }) server.listen( 3000 )

License

MIT