科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>node.js - How to fix "Path Manipulation Vulnerability" in some Node js? - Stack Overflow

    node.js - How to fix "Path Manipulation Vulnerability" in some Node js? - Stack Overflow

    programmeradmin1浏览0评论

    I have implemented all kinds of validation but fortify still throwing path manipulation error. What is correct solution for resolving path manipulation issue in Nodejs for Fortify?

    Below is my code

    const fs = require("fs");
const path = require("path");
const SAFE_USERGUIDE_PATH = path.resolve(__dirname, "..", "..", "userGuide");
function readFileSecure(filePath) {
  // normalize fie path
  const safe_input = path.normalize(filePath);

  // Prevent null bytes and absolute paths
  if (filePath.includes("\0") || path.isAbsolute(filePath)) {
    throw new Error("Invalid file path!");
  }

  // Resolve safely within the secure directory
  const safe_path = path.normalize(path.resolve(SAFE_USERGUIDE_PATH, safe_input));

  // Ensure path is still within the SAFE_USERGUIDE_PATH
  if (!safe_path.startsWith(SAFE_USERGUIDE_PATH + path.sep)) {
    throw new Error("Invalid directory access attempt!");
  }

  // Prevent symbolic link attacks
  const stat = fs.lstatSync(safe_path);
  if (!stat.isFile()) {
    throw new Error("Invalid file access!");
  }

  return fs.readFileSync(safe_path, "utf8");
}

    I have tried normalize, resolve, character validation and startswith validation but still error coming... The issue was easily resolved in Java app but in nodejs the Foritfy path manipulation is not going

    I have implemented all kinds of validation but fortify still throwing path manipulation error. What is correct solution for resolving path manipulation issue in Nodejs for Fortify?

    Below is my code

    const fs = require("fs");
const path = require("path");
const SAFE_USERGUIDE_PATH = path.resolve(__dirname, "..", "..", "userGuide");
function readFileSecure(filePath) {
  // normalize fie path
  const safe_input = path.normalize(filePath);

  // Prevent null bytes and absolute paths
  if (filePath.includes("\0") || path.isAbsolute(filePath)) {
    throw new Error("Invalid file path!");
  }

  // Resolve safely within the secure directory
  const safe_path = path.normalize(path.resolve(SAFE_USERGUIDE_PATH, safe_input));

  // Ensure path is still within the SAFE_USERGUIDE_PATH
  if (!safe_path.startsWith(SAFE_USERGUIDE_PATH + path.sep)) {
    throw new Error("Invalid directory access attempt!");
  }

  // Prevent symbolic link attacks
  const stat = fs.lstatSync(safe_path);
  if (!stat.isFile()) {
    throw new Error("Invalid file access!");
  }

  return fs.readFileSync(safe_path, "utf8");
}

    I have tried normalize, resolve, character validation and startswith validation but still error coming... The issue was easily resolved in Java app but in nodejs the Foritfy path manipulation is not going

    • node.js
    • security
    • fortify
    • path-manipulation
    Share Improve this question asked Mar 12 at 12:37 Muthu KumarMuthu Kumar 4886 silver badges10 bronze badges
    Add a comment  | 

    1 Answer 1

    Reset to default 1

    In a nutshell, you'd want to sanitize the file path you get from user input so it can't be used to traverse backwards past the SAFE_USERGUIDE_PATH.

    Generally speaking, you should probably not attempt to write your own sanitizer, but depend on a well-proven third party, such as filenamify:

    const safe_input = filenamify(filePath);

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论