Time Remaining5:00
hardSecurityExpress

The path walker

A developer asked an AI assistant to build an endpoint that serves user-uploaded files by filename from a local uploads folder. The suggested code works for normal filenames, but lets a malicious request read arbitrary files off the server's filesystem.

files.js
app.get('/files/:filename', (req, res) => {
  const filePath = path.join(__dirname, 'uploads', req.params.filename);
  res.sendFile(filePath);
});

What can an attacker do by requesting GET /files/..%2f..%2f..%2fetc%2fpasswd?

Read arbitrary files outside the uploads directory — path.join doesn't stop '..' segments from escaping the intended folder, enabling path traversal.
Nothing — Express automatically blocks any filename containing '..' before it reaches the route handler.
The request 404s because path.join throws on URL-encoded slashes.
res.sendFile refuses any path containing dots, so the request is rejected by design.