richardgirges / express-fileupload

93%

master: 95%

LAST BUILD ON BRANCH security-path-validation

branch: security-path-validation

CHANGE BRANCH

x

Reset

• security-path-validation
• 0.4.0
• 1.1.1-alpha.2
• 1.1.6
• 1.1.6-alpha.1
• 1.1.6-alpha.3
• 1.1.6-alpha.4
• 1.1.6-alpha.5
• 1.1.6-alpha.6
• chore/update-dependencies
• deleteme
• dependabot/npm_and_yarn/eslint-utils-1.4.3
• dependabot/npm_and_yarn/handlebars-4.5.3
• dependabot/npm_and_yarn/js-yaml-3.13.1
• dependabot/npm_and_yarn/lodash-4.17.15
• feature/allowExtensionPreservationWithSafeFileNames
• master
• richard/update-dependencies
• v0.1.0
• v0.1.1
• v0.1.2
• v0.1.3
• v0.1.4
• v0.1.5
• v0.2.0
• v0.3.0
• v1.0.0
• v1.0.0-alpha.1
• v1.1.1-alpha.1
• v1.1.1-alpha.2
• v1.1.1-alpha.3
• v1.1.1-alpha.4
• v1.1.2-alpha.1
• v1.1.3-alpha.1
• v1.1.3-alpha.2
• v1.1.4
• v1.1.5

Add optional path validation to prevent path traversal attacks

This change adds opt-in path validation to protect against path traversal
vulnerabilities when user input is passed to the mv() function.

## Changes:

### New Configuration Options:
- uploadDir: Base directory for uploads (null = validation disabled)
- validatePaths: Enable/disable validation (default: true)
- allowAbsolutePaths: Allow absolute paths (default: false)

### Security Features:
- Validates paths to prevent directory traversal (../)
- Blocks URL encoded attacks (%2e%2e%2f)
- Blocks double URL encoding (%252e%252e)
- Blocks null byte injection (%00)
- Blocks Windows-style traversal (..\)
- Prevents paths from escaping uploadDir
- Validates path length (max 1024 chars)

### Implementation:
- Added validateUploadPath() function in lib/utilities.js
- Integrated validation in lib/fileFactory.js mv() method
- Added comprehensive test suite (15+ test cases)
- Updated README with security best practices

## Backward Compatibility:
- NON-BREAKING: Validation only active when uploadDir is set
- Existing code without uploadDir works exactly as before
- No changes required for current users

## Testing:
- All existing tests pass
- New tests cover path traversal prevention
- Tested with real application (legacy and secure modes)
- Attack vectors successfully blocked

Addresses security concerns around path traversal when developers
pass user-controlled input to file.mv() without validation.