Resolve a relative path against a root path with validation.
This module would protect against commons attacks like GET /../file.js
which reaches outside the root folder.
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install resolve-path
var resolvePath = require('resolve-path')
Resolve a relative path against process.cwd()
(the process's current working
directory) and return an absolute path. This will throw if the resulting resolution
seems malicious. The following are malicious:
- The relative path is an absolute path
- The relative path contains a NULL byte
- The relative path resolves to a path outside of
process.cwd()
- The relative path traverses above
process.cwd()
and back down
Resolve a relative path against the provided root path and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:
- The relative path is an absolute path
- The relative path contains a NULL byte
- The relative path resolves to a path outside of the root path
- The relative path traverses above the root and back down
var http = require('http')
var parseUrl = require('parseurl')
var path = require('path')
var resolvePath = require('resolve-path')
// the public directory
var publicDir = path.join(__dirname, 'public')
// the server
var server = http.createServer(function onRequest (req, res) {
try {
// get the pathname from the URL (decoded)
var pathname = decodeURIComponent(parseUrl(req).pathname)
if (!pathname) {
res.statusCode = 400
res.end('path required')
return
}
// remove leading slash
var filename = pathname.substr(1)
// resolve the full path
var fullpath = resolvePath(publicDir, filename)
// echo the resolved path
res.statusCode = 200
res.end('resolved to ' + fullpath)
} catch (err) {
res.statusCode = err.status || 500
res.end(err.message)
}
})
server.listen(3000)