Share your code. npm Orgs help your team discover, share, and reuse code. Create a free org »

    resolve-pathpublic

    resolve-path

    NPM Version NPM Downloads Node.js Version Linux Build Windows Build Test Coverage

    Resolve a relative path against a root path with validation.

    This module would protect against commons attacks like GET /../file.js which reaches outside the root folder.

    Installation

    This is a Node.js module available through the npm registry. Installation is done using the npm install command:

    $ npm install resolve-path

    API

    var resolvePath = require('resolve-path')
    

    resolvePath(relativePath)

    Resolve a relative path against process.cwd() (the process's current working directory) and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

    • The relative path is an absolute path
    • The relative path contains a NULL byte
    • The relative path resolves to a path outside of process.cwd()
    • The relative path traverses above process.cwd() and back down

    resolvePath(rootPath, relativePath)

    Resolve a relative path against the provided root path and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

    • The relative path is an absolute path
    • The relative path contains a NULL byte
    • The relative path resolves to a path outside of the root path
    • The relative path traverses above the root and back down

    Example

    Safely resolve paths in a public directory

    var http = require('http')
    var parseUrl = require('parseurl')
    var path = require('path')
    var resolvePath = require('resolve-path')
     
    // the public directory
    var publicDir = path.join(__dirname, 'public')
     
    // the server
    var server = http.createServer(function onRequest (req, res) {
      try {
        // get the pathname from the URL (decoded)
        var pathname = decodeURIComponent(parseUrl(req).pathname)
     
        if (!pathname) {
          res.statusCode = 400
          res.end('path required')
          return
        }
     
        // remove leading slash
        var filename = pathname.substr(1)
     
        // resolve the full path
        var fullpath = resolvePath(publicDir, filename)
     
        // echo the resolved path
        res.statusCode = 200
        res.end('resolved to ' + fullpath)
      } catch (err) {
        res.statusCode = err.status || 500
        res.end(err.message)
      }
    })
     
    server.listen(3000)

    License

    MIT

    install

    npm i resolve-path

    Downloadsweekly downloads

    44,821

    version

    1.4.0

    license

    MIT

    repository

    githubgithub

    last publish

    collaborators

    • avatar
    • avatar
    • avatar
    • avatar
    • avatar