Skip to content


security vulnerability with directory #771

mikerobe opened this Issue · 1 comment

1 participant


Suppose someone adds directory('.') to connect(). It'll pass the check for non-empty root and if a requestor asks for /../../../../../../, it'll also pass the check for malicious path because path.indexOf(root) is true since the path starts with ..

So creating directory('.') in your middleware stack has the unintended result of giving someone listing rights on your whole computer (subject to permissions of web server user).

The directory middleware should probably resolve the root parameter to an absolute path before using it.


The easiest solution to this is to change line 56 in directory.js from

    , root = normalize(root);


    , root = path.resolve(root);

which normalizes and makes the path absolute.

Incidentally, it might also be a good idea to allow disabling the following of symlinks (although this would require doing lstat on every path component after the root)

@jonathanong jonathanong closed this in #929
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.