How to check filename string not to be a filepath

Question

I am writing a server application on node js. Operating system is Linux.

I receive filename as a plain string, so it can be hacked. Then I concatenate the filename string and path string like this:

filepath = '/home/www/upload/' + filename;

I want to protect an upload script from writing to anywhere except upload folder [or it's subfolders : optional], using my application logic, not Linux.

My current naive solution is blocking filenames which have .. substring. I don't care if someone has filename with two dots.

Sure, when it comes to security, I have to ask the audience for advice: can anything go wrong?

I would follow some of the guidances from http://stackoverflow.com/questions/11100821/javascript-regex-for-validating-filenames Basically, avoid anything not being `[a-zA-Z0-9]` and just a few more characters. — fedorqui, Oct 25 '13 at 12:28
@fedorqui I think if would be better to use node's filesystem or path API. — TheHippo, Oct 25 '13 at 13:30

score 2 · Answer 1 · answered Oct 25 '13 at 12:38

2

I'd use path.resolve for this: http://nodejs.org/api/path.html

Try filepath = path.resolve(filepath)

and then

goodPath = filepath.startsWith('/your/allowed/upload/dir');

answered Oct 25 '13 at 12:38

ikari

331
2
8

score 0 · Answer 2 · answered Oct 25 '13 at 13:31

0

if (path.basename(filepath) != filename) {
  // reject that sukka
}

answered Oct 25 '13 at 13:31

SilverlightFox

32,436
11
76
145

How to check filename string not to be a filepath

2 Answers2