richardgirges / express-fileupload / 46282c63-b555-4d06-9e41-36ccf1fc817f

93%

master: 95%

Pull #390

circleci

Add optional path validation to prevent path traversal attacks

This change adds opt-in path validation to protect against path traversal
vulnerabilities when user input is passed to the mv() function.

## Changes:

### New Configuration Options:
- uploadDir: Base directory for uploads (null = validation disabled)
- validatePaths: Enable/disable validation (default: true)
- allowAbsolutePaths: Allow absolute paths (default: false)

### Security Features:
- Validates paths to prevent directory traversal (../)
- Blocks URL encoded attacks (%2e%2e%2f)
- Blocks double URL encoding (%252e%252e)
- Blocks null byte injection (%00)
- Blocks Windows-style traversal (..\)
- Prevents paths from escaping uploadDir
- Validates path length (max 1024 chars)

### Implementation:
- Added validateUploadPath() function in lib/utilities.js
- Integrated validation in lib/fileFactory.js mv() method
- Added comprehensive test suite (15+ test cases)
- Updated README with security best practices

## Backward Compatibility:
- NON-BREAKING: Validation only active when uploadDir is set
- Existing code without uploadDir works exactly as before
- No changes required for current users

## Testing:
- All existing tests pass
- New tests cover path traversal prevention
- Tested with real application (legacy and secure modes)
- Attack vectors successfully blocked

Addresses security concerns around path traversal when developers
pass user-controlled input to file.mv() without validation.

185 of 205 branches covered (90.24%)

30 of 38 new or added lines in 2 files covered. (78.95%)

357 of 384 relevant lines covered (92.97%)

744.52 hits per line