How to bypass numeric-only regex (/^[0-9]+$/m) to read ../flag.txt in Next.js API?
Question:
I'm working on a CTF challenge where I need to bypass a regex filter that only allows numbers and prevents directory traversal (../).
Here’s the vulnerable Next.js API route handling file reads:
import path from 'path';
import fs from 'fs';
const ID_REGEX = /^[0-9]+$/m; // Only allows digits
export default function handler({ query }, res) {
if (!query.id) {
res.status(400).end("Missing id parameter");
return;
}
// Validate input format (only numbers allowed)
if (!ID_REGEX.test(query.id)) {
console.error("Invalid format:", query.id);
res.status(400).end("Invalid format");
return;
}
// Prevent directory traversal
if (query.id.includes("/") || query.id.includes("..")) {
console.error("DIRECTORY TRAVERSAL DETECTED:", query.id);
res.status(400).end("DIRECTORY TRAVERSAL DETECTED?!? This incident will be reported.");
return;
}
try {
const filepath = path.join("team", query.id + ".png");
const content = fs.readFileSync(filepath.slice(0, 100)); // Truncates path
res.setHeader("Content-Type", "image/png");
res.status(200).end(content);
} catch (e) {
console.error("Not Found", e.toString());
res.status(404).end(e.toString());
}
}
What I Tried:
- Regex Bypass:
The regex (/^[0-9]+$/m) only allows digits, so I can't use / or ...
Can I manipulate this to resolve to ../flag.txt instead of team/.png