I have implemented all kinds of validation but fortify still throwing path manipulation error. What is correct solution for resolving path manipulation issue in Nodejs for Fortify?
Below is my code
const fs = require("fs");
const path = require("path");
const SAFE_USERGUIDE_PATH = path.resolve(__dirname, "..", "..", "userGuide");
function readFileSecure(filePath) {
// normalize fie path
const safe_input = path.normalize(filePath);
// Prevent null bytes and absolute paths
if (filePath.includes("\0") || path.isAbsolute(filePath)) {
throw new Error("Invalid file path!");
}
// Resolve safely within the secure directory
const safe_path = path.normalize(path.resolve(SAFE_USERGUIDE_PATH, safe_input));
// Ensure path is still within the SAFE_USERGUIDE_PATH
if (!safe_path.startsWith(SAFE_USERGUIDE_PATH + path.sep)) {
throw new Error("Invalid directory access attempt!");
}
// Prevent symbolic link attacks
const stat = fs.lstatSync(safe_path);
if (!stat.isFile()) {
throw new Error("Invalid file access!");
}
return fs.readFileSync(safe_path, "utf8");
}
I have tried normalize, resolve, character validation and startswith validation but still error coming... The issue was easily resolved in Java app but in nodejs the Foritfy path manipulation is not going
In a nutshell, you'd want to sanitize the file path you get from user input so it can't be used to traverse backwards past the SAFE_USERGUIDE_PATH.
Generally speaking, you should probably not attempt to write your own sanitizer, but depend on a well-proven third party, such as filenamify:
const safe_input = filenamify(filePath);