Détail du package

resolve-path

pillarjs4.6mMIT1.4.0

Resolve a relative path against a root path with validation

resolve, path, safe

readme

resolve-path

NPM Version NPM Downloads Node.js Version Linux Build Windows Build Test Coverage

Resolve a relative path against a root path with validation.

This module would protect against commons attacks like GET /../file.js which reaches outside the root folder.

Installation

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install resolve-path

API

var resolvePath = require('resolve-path')

resolvePath(relativePath)

Resolve a relative path against process.cwd() (the process's current working directory) and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

  • The relative path is an absolute path
  • The relative path contains a NULL byte
  • The relative path resolves to a path outside of process.cwd()
  • The relative path traverses above process.cwd() and back down

resolvePath(rootPath, relativePath)

Resolve a relative path against the provided root path and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

  • The relative path is an absolute path
  • The relative path contains a NULL byte
  • The relative path resolves to a path outside of the root path
  • The relative path traverses above the root and back down

Example

Safely resolve paths in a public directory

var http = require('http')
var parseUrl = require('parseurl')
var path = require('path')
var resolvePath = require('resolve-path')

// the public directory
var publicDir = path.join(__dirname, 'public')

// the server
var server = http.createServer(function onRequest (req, res) {
  try {
    // get the pathname from the URL (decoded)
    var pathname = decodeURIComponent(parseUrl(req).pathname)

    if (!pathname) {
      res.statusCode = 400
      res.end('path required')
      return
    }

    // remove leading slash
    var filename = pathname.substr(1)

    // resolve the full path
    var fullpath = resolvePath(publicDir, filename)

    // echo the resolved path
    res.statusCode = 200
    res.end('resolved to ' + fullpath)
  } catch (err) {
    res.statusCode = err.status || 500
    res.end(err.message)
  }
})

server.listen(3000)

License

MIT

changelog

1.4.0 / 2018-02-13

  • Fix resolving paths with certain special characters
  • deps: http-errors@~1.6.2
    • Make message property enumerable for HttpErrors
    • deps: depd@1.1.1
    • deps: setprototypeof@1.0.3

1.3.3 / 2016-11-14

  • deps: path-is-absolute@1.0.1

1.3.2 / 2016-06-17

  • deps: http-errors@~1.5.0
    • Use setprototypeof module to replace __proto__ setting
    • deps: inherits@2.0.1
    • deps: statuses@'>= 1.3.0 < 2'
    • perf: enable strict mode

1.3.1 / 2016-02-28

  • deps: http-errors@~1.4.0

1.3.0 / 2015-06-15

  • Use path-is-absolute to better detect absolute paths
  • perf: enable strict mode
  • perf: skip a variable reassignment

1.2.2 / 2015-02-16

  • deps: http-errors@~1.3.1
    • Construct errors using defined constructors from createError
    • Fix error names that are not identifiers
    • Set a meaningful name property on constructed errors

1.2.1 / 2015-01-19

  • Fix root path disclosure

1.2.0 / 2015-01-05

  • Change error to 403 Forbidden when outside root
  • Fix argument type errors to be consistent
  • Fix path traversal vulnerability
  • Use http-errors module directly

1.1.0 / 2014-12-27

  • Resolve the root path argument
  • Use http-assert module

1.0.0 / 2014-03-23

  • Initial release