admin管理员组文章数量:1390391
I have implemented all kinds of validation but fortify still throwing path manipulation error. What is correct solution for resolving path manipulation issue in Nodejs for Fortify?
Below is my code
const fs = require("fs");
const path = require("path");
const SAFE_USERGUIDE_PATH = path.resolve(__dirname, "..", "..", "userGuide");
function readFileSecure(filePath) {
// normalize fie path
const safe_input = path.normalize(filePath);
// Prevent null bytes and absolute paths
if (filePath.includes("\0") || path.isAbsolute(filePath)) {
throw new Error("Invalid file path!");
}
// Resolve safely within the secure directory
const safe_path = path.normalize(path.resolve(SAFE_USERGUIDE_PATH, safe_input));
// Ensure path is still within the SAFE_USERGUIDE_PATH
if (!safe_path.startsWith(SAFE_USERGUIDE_PATH + path.sep)) {
throw new Error("Invalid directory access attempt!");
}
// Prevent symbolic link attacks
const stat = fs.lstatSync(safe_path);
if (!stat.isFile()) {
throw new Error("Invalid file access!");
}
return fs.readFileSync(safe_path, "utf8");
}
I have tried normalize, resolve, character validation and startswith validation but still error coming... The issue was easily resolved in Java app but in nodejs the Foritfy path manipulation is not going
I have implemented all kinds of validation but fortify still throwing path manipulation error. What is correct solution for resolving path manipulation issue in Nodejs for Fortify?
Below is my code
const fs = require("fs");
const path = require("path");
const SAFE_USERGUIDE_PATH = path.resolve(__dirname, "..", "..", "userGuide");
function readFileSecure(filePath) {
// normalize fie path
const safe_input = path.normalize(filePath);
// Prevent null bytes and absolute paths
if (filePath.includes("\0") || path.isAbsolute(filePath)) {
throw new Error("Invalid file path!");
}
// Resolve safely within the secure directory
const safe_path = path.normalize(path.resolve(SAFE_USERGUIDE_PATH, safe_input));
// Ensure path is still within the SAFE_USERGUIDE_PATH
if (!safe_path.startsWith(SAFE_USERGUIDE_PATH + path.sep)) {
throw new Error("Invalid directory access attempt!");
}
// Prevent symbolic link attacks
const stat = fs.lstatSync(safe_path);
if (!stat.isFile()) {
throw new Error("Invalid file access!");
}
return fs.readFileSync(safe_path, "utf8");
}
I have tried normalize, resolve, character validation and startswith validation but still error coming... The issue was easily resolved in Java app but in nodejs the Foritfy path manipulation is not going
Share Improve this question asked Mar 12 at 12:37 Muthu KumarMuthu Kumar 4886 silver badges10 bronze badges1 Answer
Reset to default 1In a nutshell, you'd want to sanitize the file path you get from user input so it can't be used to traverse backwards past the SAFE_USERGUIDE_PATH.
Generally speaking, you should probably not attempt to write your own sanitizer, but depend on a well-proven third party, such as filenamify:
const safe_input = filenamify(filePath);
本文标签: nodejsHow to fix quotPath Manipulation Vulnerabilityquot in some Node jsStack Overflow
版权声明:本文标题:node.js - How to fix "Path Manipulation Vulnerability" in some Node js? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744752613a2623270.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论