Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

resolve-path

Package Overview
Dependencies
Maintainers
5
Versions
10
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

resolve-path

Resolve a relative path against a root path with validation

  • 1.4.0
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
731K
decreased by-19.29%
Maintainers
5
Weekly downloads
 
Created
Source

resolve-path

NPM Version NPM Downloads Node.js Version Linux Build Windows Build Test Coverage

Resolve a relative path against a root path with validation.

This module would protect against commons attacks like GET /../file.js which reaches outside the root folder.

Installation

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install resolve-path

API

var resolvePath = require('resolve-path')

resolvePath(relativePath)

Resolve a relative path against process.cwd() (the process's current working directory) and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

  • The relative path is an absolute path
  • The relative path contains a NULL byte
  • The relative path resolves to a path outside of process.cwd()
  • The relative path traverses above process.cwd() and back down

resolvePath(rootPath, relativePath)

Resolve a relative path against the provided root path and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

  • The relative path is an absolute path
  • The relative path contains a NULL byte
  • The relative path resolves to a path outside of the root path
  • The relative path traverses above the root and back down

Example

Safely resolve paths in a public directory

var http = require('http')
var parseUrl = require('parseurl')
var path = require('path')
var resolvePath = require('resolve-path')

// the public directory
var publicDir = path.join(__dirname, 'public')

// the server
var server = http.createServer(function onRequest (req, res) {
  try {
    // get the pathname from the URL (decoded)
    var pathname = decodeURIComponent(parseUrl(req).pathname)

    if (!pathname) {
      res.statusCode = 400
      res.end('path required')
      return
    }

    // remove leading slash
    var filename = pathname.substr(1)

    // resolve the full path
    var fullpath = resolvePath(publicDir, filename)

    // echo the resolved path
    res.statusCode = 200
    res.end('resolved to ' + fullpath)
  } catch (err) {
    res.statusCode = err.status || 500
    res.end(err.message)
  }
})

server.listen(3000)

License

MIT

Keywords

FAQs

Package last updated on 13 Feb 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc