Skip to content

Comments

fix: prevent path traversal via directory prefix collision in _joinDirectoryName#1062

Merged
tunnckoCore merged 1 commit intonode-formidable:masterfrom
vnykmshr:fix/join-directory-name-traversal
Feb 18, 2026
Merged

fix: prevent path traversal via directory prefix collision in _joinDirectoryName#1062
tunnckoCore merged 1 commit intonode-formidable:masterfrom
vnykmshr:fix/join-directory-name-traversal

Conversation

@vnykmshr
Copy link
Contributor

@vnykmshr vnykmshr commented Feb 15, 2026

Fixes #1061

The startsWith check in _joinDirectoryName() compared string prefixes, not filesystem paths. When uploadDir lacks a trailing separator (the default — os.tmpdir() never includes one), sibling directories sharing the same prefix bypass the traversal check.

Changes:

  • Use path.resolve() to normalize both paths before comparison
  • Append path.sep to the resolved directory, ensuring the path is inside the directory
  • Handle the edge case where the resolved path equals the directory itself

Tests added:

  • Standard traversal blocked (regression)
  • Sibling directory prefix collision blocked (the fix)
  • Valid subdirectory within uploadDir allowed (happy path)
  • Name resolving to uploadDir itself blocked (edge case)

@vnykmshr
fix: prevent path traversal via directory prefix collision in _joinDi…
ba19011 
…rectoryName

The startsWith check compared string prefixes, not filesystem paths.
When uploadDir lacks a trailing separator (the default), sibling
directories sharing the same prefix bypass the check.

Use path.resolve + path.sep to ensure the resolved path is inside the
upload directory, not just sharing a string prefix.

Fixes node-formidable#1061
@tunnckoCore
Copy link
Member

tunnckoCore commented Feb 18, 2026

thanks, will check.

tunnckoCore
tunnckoCore approved these changes Feb 18, 2026
View reviewed changes
Copy link
Member

@tunnckoCore tunnckoCore left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, good catch

@tunnckoCore tunnckoCore merged commit 720cdfd into node-formidable:master Feb 18, 2026
1 check passed
@vnykmshr vnykmshr mentioned this pull request Feb 19, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tunnckoCore tunnckoCore tunnckoCore approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

_joinDirectoryName traversal check bypassable via directory prefix collision

2 participants

@vnykmshr @tunnckoCore