Skip to content

doc: clarify fileURLToPath security considerations #60887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nodejs-github-bot merged 1 commit into from
Nov 30, 2025
+23 −0
Merged

doc: clarify fileURLToPath security considerations #60887

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions doc/api/url.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1329,6 +1329,19 @@ changes:
This function ensures the correct decodings of percent-encoded characters as
well as ensuring a cross-platform valid absolute path string.

**Security Considerations:**

This function decodes percent-encoded characters, including encoded dot-segments
(`%2e` as `.` and `%2e%2e` as `..`), and then normalizes the resulting path.
This means that encoded directory traversal sequences (such as `%2e%2e`) are
decoded and processed as actual path traversal, even though encoded slashes
(`%2F`, `%5C`) are correctly rejected.

**Applications must not rely on `fileURLToPath()` alone to prevent directory
traversal attacks.** Always perform explicit path validation and security checks
on the returned path value to ensure it remains within expected boundaries
before using it for file system operations.

```mjs
import { fileURLToPath } from 'node:url';

Expand Down Expand Up @@ -1384,6 +1397,15 @@ representation of the path, a `Buffer` is returned. This conversion is
helpful when the input URL contains percent-encoded segments that are
not valid UTF-8 / Unicode sequences.

**Security Considerations:**

This function has the same security considerations as [`url.fileURLToPath()`][].
It decodes percent-encoded characters, including encoded dot-segments
(`%2e` as `.` and `%2e%2e` as `..`), and normalizes the path. **Applications
must not rely on this function alone to prevent directory traversal attacks.**
Always perform explicit path validation on the returned buffer value before
using it for file system operations.

### `url.format(URL[, options])`

<!-- YAML
Expand Down Expand Up @@ -2014,6 +2036,7 @@ console.log(myURL.origin);
[`querystring`]: querystring.md
[`url.domainToASCII()`]: #urldomaintoasciidomain
[`url.domainToUnicode()`]: #urldomaintounicodedomain
[`url.fileURLToPath()`]: #urlfileurltopathurl-options
[`url.format()`]: #urlformaturlobject
[`url.href`]: #urlhref
[`url.parse()`]: #urlparseurlstring-parsequerystring-slashesdenotehost
Expand Down
Loading