Launch Week Day 2: Introducing Reports: An Extensible Reporting Framework for Socket Data.Learn More
Socket
Book a DemoSign in
Socket
Book a DemoSign in

resolve-path

Package Overview
Dependencies
Maintainers
5
Versions
10
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

resolve-path

Resolve a relative path against a root path with validation

latest
Source
npmnpm
Version
1.4.0
Version published
Weekly downloads
1.7M
2.77%
Maintainers
5
Weekly downloads
 
Created
Source

resolve-path

NPM Version NPM Downloads Node.js Version Linux Build Windows Build Test Coverage

Resolve a relative path against a root path with validation.

This module would protect against commons attacks like GET /../file.js which reaches outside the root folder.

Installation

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install resolve-path

API

var resolvePath = require('resolve-path')

resolvePath(relativePath)

Resolve a relative path against process.cwd() (the process's current working directory) and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

  • The relative path is an absolute path
  • The relative path contains a NULL byte
  • The relative path resolves to a path outside of process.cwd()
  • The relative path traverses above process.cwd() and back down

resolvePath(rootPath, relativePath)

Resolve a relative path against the provided root path and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

  • The relative path is an absolute path
  • The relative path contains a NULL byte
  • The relative path resolves to a path outside of the root path
  • The relative path traverses above the root and back down

Example

Safely resolve paths in a public directory

var http = require('http')
var parseUrl = require('parseurl')
var path = require('path')
var resolvePath = require('resolve-path')

// the public directory
var publicDir = path.join(__dirname, 'public')

// the server
var server = http.createServer(function onRequest (req, res) {
  try {
    // get the pathname from the URL (decoded)
    var pathname = decodeURIComponent(parseUrl(req).pathname)

    if (!pathname) {
      res.statusCode = 400
      res.end('path required')
      return
    }

    // remove leading slash
    var filename = pathname.substr(1)

    // resolve the full path
    var fullpath = resolvePath(publicDir, filename)

    // echo the resolved path
    res.statusCode = 200
    res.end('resolved to ' + fullpath)
  } catch (err) {
    res.statusCode = err.status || 500
    res.end(err.message)
  }
})

server.listen(3000)

License

MIT

Keywords

resolve
path
safe

FAQs

Package last updated on 13 Feb 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm Malware

Research

Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm Malware

Malicious Namastex.ai npm packages appear to replicate TeamPCP-style Canister Worm tradecraft, including exfiltration and self-propagation.

By Socket Research Team  -  Apr 22, 2026
Socket for Jira Is Now Available

Product

Socket for Jira Is Now Available

Socket for Jira lets teams turn alerts into Jira tickets with manual creation, automated ticketing rules, and two-way sync.

By Jeppe Hasseriis  -  Apr 20, 2026