Fix uncontrolled data used in path expression #266

opsysdebug · 2025-08-24T20:00:55Z

Accessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.

Fix this issue should validate any user-provided path before passing it to filesystem APIs. The best way to do this is to ensure that the final path, after normalization (using path.resolve and, optionally, fs.realpathSync), remains within the intended safe root directory. For the _patch handler, this is __dirname; for the default handler, it's process.cwd(). You should update both handlers to resolve and check their paths, and modify handleFile to accept only validated file paths.

Concrete steps:

In both _patch and _default handlers, after joining the root + user path, normalize the path and check that it starts with the intended root (using path.resolve and fs.realpathSync if available).
If the check fails, return a 403 error (forbidden).
Only call handleFile if the path is safe.
Optionally, wrap the normalization/check in a reusable function.

No new methods or imports are needed, as both path and fs are already present.

Edits required:

lib/server.js, in _patch and _default handlers (lines ~524-535), update file path resolution, add containment check, error out if the check fails.

References
npm:sanitize-filename

browserstack-support · 2025-08-24T20:08:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447247 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:08:55Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447248 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:08:55Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447249 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:13:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447254 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:13:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447252 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:13:54Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447253 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:18:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447257 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:18:58Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447256 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:23:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447258 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:23:54Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447259 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:28:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447261 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:28:55Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447260 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:33:47Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447262 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:33:52Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447263 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:38:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447264 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:38:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447265 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:43:51Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447266 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:48:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447267 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:53:46Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447268 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T20:58:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447269 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T21:03:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447270 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T21:08:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447271 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T21:13:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447272 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T21:18:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447273 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T21:23:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447274 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T21:28:46Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447275 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:08:53Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447305 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:13:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447306 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:18:54Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447308 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:23:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447309 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:28:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447310 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:33:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447311 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:38:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447312 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:43:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447313 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:48:46Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447314 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:53:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447315 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-24T23:58:45Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447316 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:03:46Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447317 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:08:52Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447324 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:13:51Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447328 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:18:53Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447330 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:23:59Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447333 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:28:55Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447335 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:33:49Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447337 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:38:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447340 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:43:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447341 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:48:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447342 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:53:50Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447343 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T00:58:51Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447346 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T01:03:46Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447348 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T01:08:59Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447352 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T01:13:47Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447353 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T01:18:51Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447354 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T01:23:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447355 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T01:28:51Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447356 Best Regards, BrowserStack Support Team

browserstack-support · 2025-08-25T01:33:48Z

Hi Browserstack, Thanks for reaching out. Kindly allow us some time to check this and get back to you with a response. Your ticket ID: #1447359 Best Regards, BrowserStack Support Team

Update server.js

4dfb85a

opsysdebug requested a review from a team as a code owner August 24, 2025 20:00

orangecurl approved these changes Aug 24, 2025

View reviewed changes

poratoes approved these changes Aug 24, 2025

View reviewed changes

Fix uncontrolled data used in path expression #266

Are you sure you want to change the base?

Fix uncontrolled data used in path expression #266

Uh oh!

Conversation

opsysdebug commented Aug 24, 2025

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email

Uh oh!

browserstack-support commented Aug 24, 2025 via email