Typescript Unsanitized File Path Sendfile
Description
Detects when an Express.js application uses sendFile() with unsanitized file paths that may contain user input. This vulnerability could allow attackers to access files outside the intended directory through path traversal attacks, potentially exposing sensitive system files.
Detection Strategy
• Check if the application imports both 'express' and 'path' modules
• Identify calls to sendFile() function in Express.js routes
• Examine the file path argument passed to sendFile()
• Verify if the file path contains user-controlled input
• Confirm that the path is not properly sanitized or validated before use
• Report a vulnerability if unsanitized user input is used in the file path
Vulnerable code example
const path = require('path');
const express = require('express');
function serveFile(req, res) {
const userFile = req.params.file;
// VULNERABLE: Direct use of user input in path resolution without validation
res.sendFile(path.resolve('sensitive_files/', userFile));...✅ Secure code example
const path = require('path');
const express = require('express');
function serveFile(req, res) {
const userFile = req.params.file;
// Validate file extension and characters
const validFilePattern = /^[a-zA-Z0-9_-]+\.(txt|pdf|jpg)$/;...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.