resolve-path
Resolve a relative path against a root path with validation.
This module would protect against commons attacks like GET /../file.js
which reaches outside the root folder.
Installation
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install resolve-path
API
var resolvePath = require('resolve-path')
resolvePath(relativePath)
Resolve a relative path against process.cwd()
(the process's current working
directory) and return an absolute path. This will throw if the resulting resolution
seems malicious. The following are malicious:
- The relative path is an absolute path
- The relative path contains a NULL byte
- The relative path resolves to a path outside of
process.cwd()
- The relative path traverses above
process.cwd()
and back down
resolvePath(rootPath, relativePath)
Resolve a relative path against the provided root path and return an absolute path.
This will throw if the resulting resolution seems malicious. The following are
malicious:
- The relative path is an absolute path
- The relative path contains a NULL byte
- The relative path resolves to a path outside of the root path
- The relative path traverses above the root and back down
Example
Safely resolve paths in a public directory
var http = require('http')
var parseUrl = require('parseurl')
var path = require('path')
var resolvePath = require('resolve-path')
var publicDir = path.join(__dirname, 'public')
var server = http.createServer(function onRequest (req, res) {
try {
var pathname = decodeURIComponent(parseUrl(req).pathname)
if (!pathname) {
res.statusCode = 400
res.end('path required')
return
}
var filename = pathname.substr(1)
var fullpath = resolvePath(publicDir, filename)
res.statusCode = 200
res.end('resolved to ' + fullpath)
} catch (err) {
res.statusCode = err.status || 500
res.end(err.message)
}
})
server.listen(3000)
License
MIT