javascript - does nodejs prevent directory/path traversal by default?

Question

Expressjs's "express.static()" prevents directory/path traversal by default but I thought Nodejs does not have any protection towards directory/path traversal by default?? Recently trying to learn some web development security(directory/path traversal) and I created this:

const http = require("http");
const fs = require("fs");

http
  .createServer(function (req, res) {
    if (req.url === "/") {
      fs.readFile("./public/index.html", "UTF-8", function (err, data) {
        if (err) throw err;
        res.writeHead(200, { "Content-Type": "text/html" });
        res.end(data);
      });
    } else {
      if (req.url === "/favicon.ico") {
        res.writeHead(200, { "Content-Type": "image/ico" });
        res.end("404 file not found");
      } else {  
        fs.readFile(req.url, "utf8", function (err, data) {
          if (err) throw err;
          res.writeHead(200, { "Content-Type": "text/plain" });
          res.end(data);
        });
      }
    }
  })
  .listen(3000);

console.log("The server is running on port 3000");

to simulate directory/path traversal security vulnerability but I tried to use "../../../secret.txt" and when I check "req.url", it shows "/secret.txt" instead of "../../../secret.txt" and I also tried using "%2e" & "%2f", it still doesn't work, I still can't get "secret.txt"

(My folder Structure)

- node_modules
- public
  - css
    - style.css
  - images
    - dog.jpeg
  - js
    - script.js
  index.html
- package.json
- README.md
- server.js
- secret.txt

question from:https://stackoverflow.com/questions/65860214/does-nodejs-prevent-directory-path-traversal-by-default

Answer 1

As per the documentation of express.static [1], which leads to the docs of the serve-static module [2], the directory you provide is the root directory, meaning it's intentionally made impossible to access anything outside of it.

To serve static files such as images, CSS files, and JavaScript files, use the express.static built-in middleware function in Express.

The function signature is:

express.static(root, [options])

The root argument specifies the root directory from which to serve static assets. For more information on the options argument, see express.static. [3]

[1] https://expressjs.com/en/starter/static-files.html

[2] https://expressjs.com/en/resources/middleware/serve-static.html#API

[3] https://expressjs.com/en/4x/api.html#express.static

---

Not related, but fyi: the path you're providing to fs etc. is relative to where the script is called from.

For example, if you call node server.js from the root folder of the application, the path "./public/index.html" should work fine, but if you're calling it from a different path, it will fail, e.g. node /home/user/projects/this-project/server.js.

Thus, you should always join the path with __dirname, like so:

+const path = require("path");

-fs.readFile("./public/index.html", "UTF-8", function (err, data) {
+fs.readFile(path.join(__dirname, "./public/index.html"), "UTF-8", function (err, data) {
}

this makes the path relative to the directory of the current file you're trying to access it from, which is what you expect.