logo

Database

Javascript External Control Of Filename

Description

Detects when Express.js applications use externally controlled input (like user parameters or HTTP requests) to specify filenames in file operations. This creates a path traversal vulnerability where attackers could access unauthorized files by manipulating the filename parameter.

Weakness:

098 - External control of file name or path

Category: Data Manipulation

Detection Strategy

    Look for Express.js route handlers or middleware functions that handle file operations

    Identify file operation functions (like fs.readFile, fs.writeFile) where the filename parameter comes from user input

    Check if the filename parameter is derived from request parameters, query strings, or body content without proper validation

    Verify that the filename is used directly in file operations without path sanitization or validation checks

Vulnerable code example

const express = require('express');
const fs = require('fs');
const app = express();

app.post('/upload', (req, res) => {
    const source = '/tmp/file';
    const targetName = req.query.name;  // User-controlled input
    fs.rename(source, './uploads/' + targetName, err => {  // VULN: Path traversal via unsanitized filename...

✅ Secure code example

const express = require('express');
const fs = require('fs');
const path = require('path');
const crypto = require('crypto');
const app = express();

app.post('/upload', (req, res) => {
    const source = '/tmp/file';...