node package manager

resolve-path

Resolve a relative path against a root path with validation

resolve-path

NPM Version NPM Downloads Node.js Version Linux Build Windows Build Test Coverage

Resolve a relative path against a root path with validation.

This module would protect against commons attacks like GET /../file.js which reaches outside the root folder.

Installation

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install resolve-path

API

var resolvePath = require('resolve-path')

resolvePath(relativePath)

Resolve a relative path against process.cwd() (the process's current working directory) and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

  • The relative path is an absolute path
  • The relative path contains a NULL byte
  • The relative path resolves to a path outside of process.cwd()
  • The relative path traverses above process.cwd() and back down

resolvePath(rootPath, relativePath)

Resolve a relative path against the provided root path and return an absolute path. This will throw if the resulting resolution seems malicious. The following are malicious:

  • The relative path is an absolute path
  • The relative path contains a NULL byte
  • The relative path resolves to a path outside of the root path
  • The relative path traverses above the root and back down

Example

Safely resolve paths in a public directory

var http = require('http')
var parseUrl = require('parseurl')
var path = require('path')
var resolvePath = require('resolve-path')
 
// the public directory 
var publicDir = path.join(__dirname, 'public')
 
// the server 
var server = http.createServer(function onRequest (req, res) {
  try {
    // get the pathname from the URL (decoded) 
    var pathname = decodeURIComponent(parseUrl(req).pathname)
 
    if (!pathname) {
      res.statusCode = 400
      res.end('path required')
      return
    }
 
    // remove leading slash 
    var filename = pathname.substr(1)
 
    // resolve the full path 
    var fullpath = resolvePath(publicDir, filename)
 
    // echo the resolved path 
    res.statusCode = 200
    res.end('resolved to ' + fullpath)
  } catch (err) {
    res.statusCode = err.status || 500
    res.end(err.message)
  }
})
 
server.listen(3000)

License

MIT